Unknown data traffic
Hi guys,
A client has recently been experiencing a lot of internet data traffic on their network which cannot be explained. Speaking to the ISP, they seem to suggest that their may be an infection of some type on the server which was, at one particular time we tested, the only machine connected and turned on. However, we have ESET Smart Security installed and have run several in-depth scans with no results.
Is it possible that the modem is somehow being hijacked, or that the PC is running all these downloads without us knowing? Interestingly, the downloads are often all the same size - 117MB, from memory, which isn't a bit deal until these are dozens of them!!
A client has recently been experiencing a lot of internet data traffic on their network which cannot be explained. Speaking to the ISP, they seem to suggest that their may be an infection of some type on the server which was, at one particular time we tested, the only machine connected and turned on. However, we have ESET Smart Security installed and have run several in-depth scans with no results.
Is it possible that the modem is somehow being hijacked, or that the PC is running all these downloads without us knowing? Interestingly, the downloads are often all the same size - 117MB, from memory, which isn't a bit deal until these are dozens of them!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What kind of traffic is it? I don't think Bigpond's modems support any kind of port mirroring/spanning so you might need to connect come workstations to a managed switch, or even a hub, to capture the traffic and see what is happening.
It may be completely innocent, just PCs all fetching an update for an application that's common to all machines. A packet capture should shed some light on what is going on.
It may be completely innocent, just PCs all fetching an update for an application that's common to all machines. A packet capture should shed some light on what is going on.
You might try running Wireshark to see if you can determine where the traffic is coming from.
.... Thinkpads_User
.... Thinkpads_User
Hello Servant-Leggie
the following suggestions use windows 7 features
Maybe SNMP is an option, to help you identify where and when the events occur and possibly even address related to it. If these addresses are the same you may then block them using windows firewall or whatever security package you plan to use.
How to turn snmp on in W7 read phrasants link on how to do!
how snmp works
once on you can manually locate and access the logs, or get an application to do it for you snmp-data-logger
How to Block Ports in Windows Firewall assuming ESET has not turned it off
this tool is great for internal lan monitoring especially if you have bandwidth limitations and you need to find who is doing the downloading etc
the following suggestions use windows 7 features
Maybe SNMP is an option, to help you identify where and when the events occur and possibly even address related to it. If these addresses are the same you may then block them using windows firewall or whatever security package you plan to use.
How to turn snmp on in W7 read phrasants link on how to do!
how snmp works
once on you can manually locate and access the logs, or get an application to do it for you snmp-data-logger
How to Block Ports in Windows Firewall assuming ESET has not turned it off
this tool is great for internal lan monitoring especially if you have bandwidth limitations and you need to find who is doing the downloading etc
ASKER
Thanks guys for all your help. After trying Wireshark (but not really knowing what I was looking at), we tried to simply isolate parts of the network, disconnecting the network from the modem and recording when it was done. When we did this, I also power cycled the modem as this caused it to create a new session back at the ISP which then meant we could more accurately determine when traffic was being seen. As hoped, significant traffic was seen after the modem was power cycled and the network disconnected (at the same time), indicating that nothing on the network was responsible for the traffic, but it was the modem (or something else on their end).
The client has been trying to convey this to the ISP, but if ISPs in the USA are anything like those here is OZ, you'll know that you can spend many hours getting almost nowhere while talking to level 1 techs who don't have a clue what you're on about, but don't seem to want to escalate to a tech who understands the problem. C'mon ISPs, how hard can it be?!
Thanks for all your assistance, as well as putting up with my very tardy reply!
The client has been trying to convey this to the ISP, but if ISPs in the USA are anything like those here is OZ, you'll know that you can spend many hours getting almost nowhere while talking to level 1 techs who don't have a clue what you're on about, but don't seem to want to escalate to a tech who understands the problem. C'mon ISPs, how hard can it be?!
Thanks for all your assistance, as well as putting up with my very tardy reply!
ASKER
XGIS, your suggestion sounds awesome, but we had reached a conclusion around the time of your post. I'll be sure to try this out if the problem occurs again elsewhere.
thinkpads_user, MBAM didn't find anything, but we did work out what the issue was with a lot of similarly sized files being downloaded. It turns out that, with this particularly ISP (Telstra), they show a download in chunked file sizes. So, it you were downloading a 5GB file and they chunked at 1GB, for example, it would show 5 almost equally sized files, one after the other. Perhaps there's method to the madness, but I don't know why they'd do this.
thinkpads_user, MBAM didn't find anything, but we did work out what the issue was with a lot of similarly sized files being downloaded. It turns out that, with this particularly ISP (Telstra), they show a download in chunked file sizes. So, it you were downloading a 5GB file and they chunked at 1GB, for example, it would show 5 almost equally sized files, one after the other. Perhaps there's method to the madness, but I don't know why they'd do this.
ASKER
Of all suggestions, this was the one which pushed us most towards the troubleshooting method used, and subsequent solution found.
@Servant-Leggie - Thanks for a very good update, and I was happy to help you with this.
.... Thinkpads_User
.... Thinkpads_User
ASKER