[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Network Packets

Posted on 2012-09-20
6
Medium Priority
?
837 Views
Last Modified: 2012-10-05
Hi guys,
I have a server on 172 subnet that is sending excessive data. This is a test server and really nothing happening on it as far as users or data goes. It has transferred 9 GB of data today alone. The destination is a few servers in my 192 subnet that it really has no business communicating with. All of them are web servers. Looks like the traffic is going over port 445, and here is an example. Any ideas?

  Frame: Number = 26, Captured Frame Length = 1514, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[9C-8E-99-0F-F7-8A],SourceAddress:[00-06-B1-3D-E9-BA]
+ Ipv4: Src = 192.168.30.67, Dest = 172.16.30.125, Next Protocol = TCP, Packet ID = 13103, Total IP Length = 1500
- Tcp: Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=58960, PayloadLen=1460, Seq=3100955828 - 3100957288, Ack=160070534, Win=64275
    SrcPort: Microsoft-DS(445)
    DstPort: 58960
    SequenceNumber: 3100955828 (0xB8D4D4B4)
    AcknowledgementNumber: 160070534 (0x98A7B86)
  - DataOffset: 80 (0x50)
     DataOffset: (0101....) 20 bytes
     Reserved:   (....000.)
     NS:         (.......0) Nonce Sum not significant
  - Flags: ...A....
     CWR:    (0.......) CWR not significant
     ECE:    (.0......) ECN-Echo not significant
     Urgent: (..0.....) Not Urgent Data
     Ack:    (...1....) Acknowledgement field significant
     Push:   (....0...) No Push Function
     Reset:  (.....0..) No Reset
     Syn:    (......0.) Not Synchronize sequence numbers
     Fin:    (.......0) Not End of data
    Window: 64275
    Checksum: 0xEBE3, Good
    UrgentPointer: 0 (0x0)
    TCPPayload: SourcePort = 445, DestinationPort = 58960
+ SMBOverTCP: Length = 61499
+ Smb: R; Read Andx, FID = 0x40AF, 61440 bytes
0
Comment
Question by:dmanisit
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:Bill Bach
ID: 38418996
This is an SMB Read request, which says "file transfer" to me.

Don't drill down into the TCP part of the packet, but instead drill down into the SMB packet to see what file is being accessed.
0
 

Author Comment

by:dmanisit
ID: 38419273
I found the file being accessed and its a log file. Hmmmm, it has no business in these log files?
0
 
LVL 29

Expert Comment

by:Bill Bach
ID: 38419331
What is the log file?  What is in it?  I agree that there should be no need for it, but knowing what the file is might yield some answers.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:dmanisit
ID: 38419356
So these web servers that this server is accessing are Electronic Health Records..... So with that said these Web servers are delivering (over Internet Explorer) healthcare info. Below is a sample of the Log files. And the path is here \\ehrweb3\c$\WINDOWS\system32\LogFiles\W3SVC1


#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2012-09-20 11:00:03
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2012-09-20 11:00:03 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:08 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:13 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:18 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:23 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:28 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:33 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:38 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:43 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:47 W3SVC1 EHRWEB3 192.168.30.67 POST /cmsv4/AhsVoeISAPI.dll - 80 - 192.168.30.126 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+WOW64;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) 200 0 0 786 1210 31
2012-09-20 11:00:47 W3SVC1 EHRWEB3 192.168.30.67 POST /cmsv4/AhsVoeISAPI.dll - 80 - 192.168.30.126 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+WOW64;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) 200 0 0 574 930 218
2012-09-20 11:00:47 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:53 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:00:58 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:03 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:08 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:13 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:18 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:23 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:27 W3SVC1 EHRWEB3 192.168.30.67 GET /touchworks/common/graphics/lab-normal.gif - 80 - 192.168.30.126 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+WOW64;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) 304 0 0 213 594 203
2012-09-20 11:01:27 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:33 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:38 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:43 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:44 W3SVC1 EHRWEB3 192.168.30.67 GET /touchworks/common/graphics/lab-abnormal.gif - 80 - 192.168.30.126 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+WOW64;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) 304 0 0 213 596 203
2012-09-20 11:01:48 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
2012-09-20 11:01:53 W3SVC1 EHRWEB3 192.168.30.67 HEAD /IDXWeb.htm - 80 - 192.168.30.126 - 200 0 0 319 59 0
0
 
LVL 29

Accepted Solution

by:
Bill Bach earned 1500 total points
ID: 38419402
That tells us a bit more.  So, if I understand, you have a machine at IP  172.16.30.125 that is reading the web server log files from other servers, including the one at 192.168.30.67.

Your original question indicated that the machine on 172.16...was SENDING data.  Now, it looks like it is RECEIVING data, more than anything, right?

I would start up Process Monitor on that server (172.16...) and find out what process is attaching to these other servers.
0
 

Author Closing Comment

by:dmanisit
ID: 38468187
Thank you
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question