Why and what is the desktop PC communicating with the server?

dalva
dalva used Ask the Experts™
on
Question:
Why and what is the desktop PC communicating with the server?

In the process of seeing what traffic is hitting on a server we are planning to shutdown, we are seeing some traffic which we do not understand.

The desktop PC is 10.10.130.6
The server is 10.10.120.130

The user of the desktop has no idea why his PC is communicating with the server.
Attached is a jpg of a wireshark display showing the communication between the desktop and the server.

Ive tried to Google the data but cant seem to make heads or tails.

Can anyone give me some clues as to why and what the desktop and server are communicating?

As a side question:  Is there a better way to capture this display from wireshark into a text file?

capture1.JPG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
carlson777

Commented:
Without seeing the actual pay load hard to tell, cannot even see TCP port.  I would just shutdown server and see what happens if this is the only user.  Very easy to boot system backup if issue.  Only effects one user.
elf_bin

Commented:
I agree with carlson777, the picture leaves out way to much detail.  One thing I can tell you is that it looks like you've got an DCE application (similar to Sun's RPC stuff).  Look at the first three packets, you've got syn desktop to server to epmap (end point map - similar top Sun's portmapper), then syn ack and finally ack.  There's the connection established.  Then around packet 16 looks like tear down (some packets are filtered so I can't comment on what I can't see) with the fin/fin ack.
I'm guessing (as I can't see all the data) that you've got an application that's using DCE to check something's alive on the server.  Open up the task manager and kill processes one at a time until it stops.  If you kill the majority of processes (you can't kill them all without Windows crashing for obvious reasons) and it does not stop, then either the process is not always alive and just starts up every now and then or you've got some kind of malware that's not showing up the in task manager.

Hope this helps.
premillard

Commented:
On the desktop use msconfig, under services diable all non microsoft services then reboot the PC. see if traffic stops, then start re enabling a few services at a time and you will be able to find out which service is causing the communication.
Let me know if you need specific instructions on doing this.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Learn More!
dalva

Author

Commented:
Thanks for the feedback.  I'll try the suggestions.  Is there any additional data you would like to view from the wireshark capture?  I can submit additional screen captures.
elf_bin

Commented:
Data is often useful.  I suspect screen capturing all data would result in a lot of photos :o)
One thing that is of concern is that wireshark has decoded a protocol called IOXIDRes.  I don't know what this protocol is and can't find it on wireshark's display filter reference.  A google search didn't turn anything up either.  Is this something local?
elf_bin

Commented:
Oh, expert info and composite may prove useful.
readydave

Commented:
Are you guys using HP ProCurve switches by any chance, or maybe HP print servers? I am looking into network latency issues for a client and Googled this IOXIDRes protocol as well, and that brought me here. When I separate the stream from the rest of the capture file, I see HP traffic that stays with the filtered traffic. I've attached a screenshot of this as well. In my screen shot the .10 address is the server, and the .203 is a PC.
Looking at the packet information, I can see the source port for this is HP-Webadmin (1188), and the server on port 135 being the destination. Here is a link with more information on that port: http://www.chebucto.ns.ca/~rakerman/port-table.html#MS-RPC
That is why I am thinking it is some kind of printer or switch management software, possibly something with the driver. Any gurus out there that can confirm this? Looking at the web page above, this could also be traffic related to AD or Exchange, or possibly the Blaster virus.

8-21-2009-9-25-35-AM.png
elf_bin

Commented:
Just because something is running on a particular port does not mean that the traffic is that type of traffic.  So an example to try and clear up the ambiguity: telnet usually runs on port 23, but I've brought my telnet server up on say port 22 (normally ssh) - clients connect to port 22 & access the telnet server.  When wireshark (or insert favorite sniffer here) sees this it'll make the port as being that belonging to ssh - even though the traffic in reality is telnet - well, a small disclaimer, wireshark is actually very clever and *may* mark the traffic as telnet based on the contents of the packets.
This IOXID thing seems to be a DCOM process using RPC - which makes it a Windows thing.  More detail on the RPC and DCOM parts of the packet may give us more clues.  Does wireshark give any notes in export info/composite?
Just BTW readydave, I note a window size of 0 in your trace - might explain the slow down for  your client.
dalva

Author

Commented:
I was never able to actually nail down what was going on.  The owner of the desktop which was contacting the server has indicated he is fine if we shutdown the server.  He does not think anything worthwhile was happening between his desktop and the server.

I will be closing out this question as unsolved.  Elf_bin made a good point when he stated Just because something is running on a particular port does not mean that the traffic is that type of traffic  but since there was no solid solution I cannot award the points.

I do not have the luxury of spending the time required to hunt down the answer.  My focus is on shutting this server down ASAP.

I would like to thank all who committed their time to my question.  It is not a good feeling to leave a question unsolved but it is the reality that we must at times accept.

I will wait a few days in case anyone wishes to comment.
Commented:
IOXIDRes is DCOM see http://wiki.wireshark.org/DCOM?highlight=(IOXIDRes) - which fits in the RPC footprint of communications we see in the packet trace.
Pity you don't have the time to complete the investigation - may have been interesting.
Oh well....
dalva

Author

Commented:
elf_bin's last post included a link which did shed some light on the question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial