High internet usage - 5GB a day unknown cause

hallnet
hallnet used Ask the Experts™
on
Hi,

I am trying to figure out why all my ISP quota is been eaten up, 5GB per day, we use no torrenting software havent downloaded anything (happened on a saturday while no one was in the office). Also wireless was using WPA2 but is now turned off, router firewall is only allowing a few select ports through like VPN and mail. Port scanners dont show unusual ports open.

the network runs a SBS 2008 server and 3 XP clients, server is updated and the network is protected by Trend Micro Worry Free Advanced - the console has not reported any viruses, spyware or high volumes of spam.

any ideas? thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
If you know what computer the 5GB of data is going to, then run Wireshark on it. It will tell you what kind of packets are being delivered to the computer. It should give you an Idea if your network is vulnerable (or is being attacked) It should run fine on the server as well. -> http://www.wireshark.org

Commented:
has this happenede one time, or does it happen frequently?
Was the wireless up when this happened?


You could some kind of monitoring software that enables statistics for you. Are there any logs on Router? is this ISPs router?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

SoulwinnerIT Manager

Commented:
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

That will give you some useful information.  

If that isn't enough, look for a compatible web filtering / reporting software such as SurfControl, SpectorPro, or EBlaster.

http://www.surfcontrol.com/
http://www.spectorsoft.com/

Author

Commented:
Thanks will check these sites out, the wireless was enabled with WPA2 but I disabled it to be sure but to no effect. Looks like it must be the server as all the workstations were turned off overnight and it's still happening.... Server NIC show steady amount of bytes being transferred when I connect to it but I have not been able to connect this to the issue as yet, everything looks fine... Can't be a
bad NIC driver cause it's WAN traffic so j need to try the links you guys suggested, problem is its the weekend
and in a last ditch effort before the weekend I disabled the VPN (thought it might be malfunctioning and causing
the traffic) and now I can't get in but can watch the usage
tick over, it's 3am and it's saying about 1GB has been downloaded since midnight.... *sigh*
Commented:
thanks for the help - over the weekend I did the age old process of elimination and discovered it was the win 2008 SBS server. pretty sure it was WSUS so I disabled the updates for now, but I did find a post on a forum who had the same issue and it was due to WSUS screwing up... Not completely solved yet though, I will monitor it for a few days then reinstall WSUS.

Commented:
Cacti is a brilliant software beside nagios and MRTG ..... to narrow down the problem,
please check http://docs.cacti.net/

madunix
I was reading the other day that wsus server can download larger amounts of updates for your systems.
 
I believe there is a option to not to allow unapproved updates. Unfortunatelly im not familiar with wsus so i cant offer furtther input.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial