Bandwidth Usage Issue

Hello and Hi Rob,

I have an IP address reporting triple the usage as the mail server. I have been unable to find the "bug." I have run the network anayler, autoruns, hijackthis, I have viewed the event log, and run our symantec anti-virus corporate edition to no avail. Hmmmmm.

Any suggestions?
Who is Participating?
I can't say I know exactly what you're looking for... is there a rogue computer on the network?  Is it being a mail server, or are you just comparing it to your mail server?  I'm assuming the info you found indicates the IP address (vs the IP Address actually telling you)?

If you're searching for a rogue system and you know it's IP... just go backwards.  From the IP, get the MAC address.  Login to the switch, fine which port that MAC sits on and follow it to the patch panel.  Follow the patch panel (labelled I hope!) to the jack, and you've found the computer.  This assumes your network is set up in a certain way... most larger company networks are set up in a similar fasion.

Otherwise, ping the IP address, and get the MAC address (via ARP, "arp -a" in DOS).  Look for that computer on the network and you've found your culprit.  This works if there aren't too many computers to search (smaller company).

Once you've found your computer you can check for viruses/etc from there.
load Ethereal on the host and sniff the traffic see what is generating it and then search for a signature in google.

Best way to find it is to monitor it on the Internet gateway.

Use this traffic monitor on the mirrored port.

It will give the exact details of traffic and the IP address it is coming and going.

The traffic could be due to Mail virus installed on some client computers, which are sending mail.

You need to monitor traffic to find out what is causing it.

Most likely it is some virus on a computer in your network.

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

If the source host is windows, try "netstat -an" to see who and where it is connecting.  Download active ports and run it on the machine to see what applications are connecting to what addresses.  As a side note, symantec may block the installation of active ports, as it is considered a snooping / security risk ( .
Lyndy333Author Commented:

i would be interested in knowing if you run this program on a live network?
Lyndy333Author Commented:
I do know that there is a rogue computer on my network, policy is in the process of including "any electronic devices on company property is company property and will be confiscated..." Computer was connecting to the network via T1, from that T1 15 computers connect....not currently labeled. Your suggestion proved to be most helpful.

Thanks to all for your expert advice !!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.