Every day at approx 9.30am all our network printers spool a couple of pages containing some HTTP code

Dear Gurus,

The majority, if not of our networked printers spool out two pages each morning with the following text:-

Page 1:

HEAD / HEAD\1.0

Page 2:

GET / HTTP/1.1
Host: <printer IP address>
Connection: close

I am not certain what could be causing this.  We have a single Windows 2003 server which is our domain controller, also running Exchange, IIS (and RPC over HTTPS), file & print.

It makes sense that something running on the server is sending some HTTP request to all these printers, but I'm not sure what it could be.  As well as all the Microsoft stuff, my predecessor installed some Xerox printing software and some Dell printing software.  It is possible that one of these applications is causing the prints, however I am a bit worried about uninstalling the software in case those printers stop working.

Any advice would be really appreciated, as it's becoming a real pain in the ****.

Thanks a lot,
Toby
geoff_austinAsked:
Who is Participating?
 
andyalderCommented:
Sounds like a virus on a laptop or desktop that 'scans' the local subnet in search of webservers that it may be able to hijack when it boots and the printers end up printing a bit of the code.

Run network monitor on a PC on the same subnet and you'll probably be able to catch the similar traffic being sent to it and identify the IP address of the sender from the trace.
0
 
bsharathCommented:
See the eventlog if there is a entry of what's happening...
0
 
geoff_austinAuthor Commented:
Good idea.

Unfortunately I can't find anything that looks relevant in the event logs.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
geoff_austinAuthor Commented:
Thanks for your post Andy, sounds feasible.

Are there any network monitors you'd recommend?
0
 
andyalderCommented:
I was thinking to use netmon but I didn't realise that it only comes with server, not XP.

www.ethereal.com/ is the most popular free network monitor.
0
 
geoff_austinAuthor Commented:
Thx again for your reply Andy and sorry about the big delay in replying.

I installed Wireshark in the end:- http://www.softpedia.com/get/Network-Tools/Protocol-Analyzers-Sniffers/Ethereal.shtml
(Apparently this is the new name for Ethereal)

OK, so now I have a 250MB capture, some point during which this event occurred.  I have been trying some filters, but without knowing exactly what I'm looking for it's difficult to know what filters to apply.

I have seen lots of broadcasts with protocol SSDP saying "notify * HTTP/1.1"

This corresponds roughly with what is being printed out on all the printers.  Could these broadcasts cause printers to print?
0
 
geoff_austinAuthor Commented:
We changed the IP address range for a different reason and the problem went away.  Thanks for your help anyway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.