• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 682
  • Last Modified:

Windows server 2003, constant network activity

I have a windows server 2003 standard edition virtual machine (on VMware) running at home.
This machine actually does very very little, small internal subversion, and few other bits and bobs internally, but in the last week or so, there has been quite heavy network activity on this machine and its starting to 1) slow our internet down, and 2) much rapidly into the bandwidth

I had a search on the internet for some software that could maybe bring some light to what is going on with the machine, but nothing helpful as yet.
I also tries searching through the Task Manager for about 10mins to see if there was any remote desktop or such running as it also has Symantec PCanywhere installed.

Can anyone give any suggestion to some software to help find the problem?

Andrew
0
Andrew Doades
Asked:
Andrew Doades
  • 6
  • 4
  • 4
2 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
Also available in Task Manager are both Network monitoring and Performance monitoring. Did you check these. In SBS 2003 there is a Performance tool in the Administrative tools folder. That may also be available in Server 2003 Standard. In other words, there are built-in tools to get you started. ... Thinkpads_User
0
 
Andrew DoadesAuthor Commented:
I did look at the network monitoring bit in the windows task manager but, again this didn't tell me what is using the internet on this machine, this is what I really want to know, what and why is something using stupid amounts of internet on this machine?

Andrew
0
 
John HurstBusiness Consultant (Owner)Commented:
CommView will do precisely what you want, however it is not free. I do have it, use it and like it. Ethereal (now Wireshark) is a free counterpart (not as robust in my opinion) but it might get you started. DU Meter will tell you how much internet activity is going on, but not what.

Is your server doing updates? Maybe it is getting a Service Pack or some large NET Framework update.
... Thinkpads_User
0
Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

 
Andrew DoadesAuthor Commented:
I'm just trying Wireshark, hopefully will show some results for me!

I checked that windows itself wasn't doing any updates and it wasn't and the windows update service wasn't running in the task manager

Andrew
0
 
CoreyMacCommented:
Go download Microsoft Network Monitor v3.x from here:

NetMon v3.2 is solid and I would start with it....
http://www.microsoft.com/downloads/details.aspx?familyid=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&displaylang=en


NetMon v3.3 is very new (2009/04/21) and its stability is not yet know
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

Install it on the Windows server and it will show you which processes in the machine are transmitting/receiving network traffic.

If the machine hosting the VMware is also Windows you can install it there as well and see if the traffic is local to the host.  (stopping the VM is an easier approach to test this, but I assume you have already tried this.)

With this, you should be able to see which processes are creating/receiving the traffic.  It is possible it is a worm/virus on the 2003 VM, but it really could be about anything...

You can use these along with the Performance Monitor utility or the Networking tab of Task Manager to show the current activity and tell when it is happening...
0
 
Andrew DoadesAuthor Commented:
I am just installing and running NetMon v3.2, I tried Wireshark but couldn't easily work or find really what I wanted or needed.

I did try to disable the network interface for about 5mins and while that VM had no internet connection, they was almost no internet activity, so I am very confident its the vm itself .

The host is also running Ubuntu server, and I did check running processes og this machine, as we have it set to download and install security updates automatically.

Andrew
0
 
CoreyMacCommented:

OK. When running the NetMon capture, on the left hand side should be the list of processes and the traffic and ports for each. It will filter the traffic for each process as you select it and then display it on the right.
0
 
John HurstBusiness Consultant (Owner)Commented:
You didn't tell us you had two virtual machines running. Are there more?  As you point out about Ubuntu, it is always checking for many updates, so that is responsible for a lot of network activity until the updates are complete. ... Thinkpads_User
0
 
Andrew DoadesAuthor Commented:
Ah sorry thinkpads_user, I didn't mean the server has an ubuntu virtual machine, I meant the host is running ubuntu server OS.

I ran NetMon and it seemed to work quite well, there seems to be a fair few SMB connection coming into the server from one other pc in the house, I am guessing this is samba, but this server doesn't host any samba stuff.. could this maybe be a virus or spyware that is conning into the server via samba and then downloading stuff?

Andrew
0
 
John HurstBusiness Consultant (Owner)Commented:
That is possible, and would depend on your own activity (sites you visit). To determine that, you would have to install antivirus on your server machine. The server being Windows 2003, you can also install Windows Defender and see what it tells you.

I don't find network activity from my Windows Virtual Machines to be excessive in normal use. Ubuntu takes some time (10-15 minutes) to do its updates when I start it and then it stabilizes and there is little activity.

So scanning for malware on your server seems like a good next step. ... Thinkpads_User
0
 
CoreyMacCommented:

Anything is possible, but Netmon is
 only looking at the VM traffic. If this other
remote machine is either the source or the target, that would not explain Internet traffic. What traffic do you see to/from IP hosts outside of your local LAN?
0
 
Andrew DoadesAuthor Commented:
Never thought of Windows Defender!
They have a software explorer where you can very easily browse what's going on, on the system, looking at networked applications in the software explorer, showed a strange app running call <na> and almost the second I closed the network activity went dead on that machine, still able to use the internet.

I am now running a full system scan to see if I can find the actual source.

Thanks for all your help!

Andrew
0
 
CoreyMacCommented:

So what did you find was the cause?
0
 
Andrew DoadesAuthor Commented:
Seemed to be some form of spyware on that server that was downloading.. Windows defender soon cleaned up

Andrew
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now