• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 361
  • Last Modified:

Bandwidth Usage Issue

Hello and Hi Rob,

I have an IP address reporting triple the usage as the mail server. I have been unable to find the "bug." I have run the network anayler, autoruns, hijackthis, I have viewed the event log, and run our symantec anti-virus corporate edition to no avail. Hmmmmm.

Any suggestions?
1 Solution
load Ethereal on the host and sniff the traffic see what is generating it and then search for a signature in google.

Best way to find it is to monitor it on the Internet gateway.

Use this traffic monitor on the mirrored port.


It will give the exact details of traffic and the IP address it is coming and going.

The traffic could be due to Mail virus installed on some client computers, which are sending mail.

You need to monitor traffic to find out what is causing it.

Most likely it is some virus on a computer in your network.

If the source host is windows, try "netstat -an" to see who and where it is connecting.  Download active ports http://www.download.com/3000-2085-10062969.html and run it on the machine to see what applications are connecting to what addresses.  As a side note, symantec may block the installation of active ports, as it is considered a snooping / security risk (http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aports.html) .
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

I can't say I know exactly what you're looking for... is there a rogue computer on the network?  Is it being a mail server, or are you just comparing it to your mail server?  I'm assuming the info you found indicates the IP address (vs the IP Address actually telling you)?

If you're searching for a rogue system and you know it's IP... just go backwards.  From the IP, get the MAC address.  Login to the switch, fine which port that MAC sits on and follow it to the patch panel.  Follow the patch panel (labelled I hope!) to the jack, and you've found the computer.  This assumes your network is set up in a certain way... most larger company networks are set up in a similar fasion.

Otherwise, ping the IP address, and get the MAC address (via ARP, "arp -a" in DOS).  Look for that computer on the network and you've found your culprit.  This works if there aren't too many computers to search (smaller company).

Once you've found your computer you can check for viruses/etc from there.
Lyndy333Author Commented:

i would be interested in knowing if you run this program on a live network?
Lyndy333Author Commented:
I do know that there is a rogue computer on my network, policy is in the process of including "any electronic devices on company property is company property and will be confiscated..." Computer was connecting to the network via T1, from that T1 15 computers connect....not currently labeled. Your suggestion proved to be most helpful.

Thanks to all for your expert advice !!!

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now