Solved

Every day at approx 9.30am all our network printers spool a couple of pages containing some HTTP code

Posted on 2007-11-15
7
243 Views
Last Modified: 2010-04-21
Dear Gurus,

The majority, if not of our networked printers spool out two pages each morning with the following text:-

Page 1:

HEAD / HEAD\1.0

Page 2:

GET / HTTP/1.1
Host: <printer IP address>
Connection: close

I am not certain what could be causing this.  We have a single Windows 2003 server which is our domain controller, also running Exchange, IIS (and RPC over HTTPS), file & print.

It makes sense that something running on the server is sending some HTTP request to all these printers, but I'm not sure what it could be.  As well as all the Microsoft stuff, my predecessor installed some Xerox printing software and some Dell printing software.  It is possible that one of these applications is causing the prints, however I am a bit worried about uninstalling the software in case those printers stop working.

Any advice would be really appreciated, as it's becoming a real pain in the ****.

Thanks a lot,
Toby
0
Comment
Question by:geoff_austin
  • 4
  • 2
7 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20288023
See the eventlog if there is a entry of what's happening...
0
 

Author Comment

by:geoff_austin
ID: 20288272
Good idea.

Unfortunately I can't find anything that looks relevant in the event logs.
0
 
LVL 55

Accepted Solution

by:
andyalder earned 250 total points
ID: 20292474
Sounds like a virus on a laptop or desktop that 'scans' the local subnet in search of webservers that it may be able to hijack when it boots and the printers end up printing a bit of the code.

Run network monitor on a PC on the same subnet and you'll probably be able to catch the similar traffic being sent to it and identify the IP address of the sender from the trace.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:geoff_austin
ID: 20297021
Thanks for your post Andy, sounds feasible.

Are there any network monitors you'd recommend?
0
 
LVL 55

Expert Comment

by:andyalder
ID: 20297193
I was thinking to use netmon but I didn't realise that it only comes with server, not XP.

www.ethereal.com/ is the most popular free network monitor.
0
 

Author Comment

by:geoff_austin
ID: 20533830
Thx again for your reply Andy and sorry about the big delay in replying.

I installed Wireshark in the end:- http://www.softpedia.com/get/Network-Tools/Protocol-Analyzers-Sniffers/Ethereal.shtml
(Apparently this is the new name for Ethereal)

OK, so now I have a 250MB capture, some point during which this event occurred.  I have been trying some filters, but without knowing exactly what I'm looking for it's difficult to know what filters to apply.

I have seen lots of broadcasts with protocol SSDP saying "notify * HTTP/1.1"

This corresponds roughly with what is being printed out on all the printers.  Could these broadcasts cause printers to print?
0
 

Author Closing Comment

by:geoff_austin
ID: 31457458
We changed the IP address range for a different reason and the problem went away.  Thanks for your help anyway.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The 6120xp switches seem to have a bug when you create a fiber port channel when you have a UCS fabric interconnects talking to them.  If you follow the Cisco guide for the UCS, the FC Port channel will never come up and it will say that there are n…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration, of the HP EVA 4400 SAN Storage. The name , IP and the WWN ID’s used here are not the real ones. ABOUT THE STORAGE For most of you reading this, you …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question