Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Unknown data traffic

Posted on 2013-12-10
Medium Priority
Last Modified: 2013-12-19
Hi guys,

A client has recently been experiencing a lot of internet data traffic on their network which cannot be explained. Speaking to the ISP, they seem to suggest that their may be an infection of some type on the server which was, at one particular time we tested, the only machine connected and turned on. However, we have ESET Smart Security installed and have run several in-depth scans with no results.

Is it possible that the modem is somehow being hijacked, or that the PC is running all these downloads without us knowing? Interestingly, the downloads are often all the same size - 117MB, from memory, which isn't a bit deal until these are dozens of them!!
Question by:Servant-Leggie
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 98

Accepted Solution

John Hurst earned 2000 total points
ID: 39710138
It seems most unlikely you would have multiple downloads all the same size. That does not happen on my own Windows 7 machines or my clients.

So I think your client has a virus. Get Malwarebytes, download the free scanner and scan with it to see if it picks up the virus.

Please let us know after you have scanned.

... Thinkpads_User

Author Comment

ID: 39710168
thinkpads_user, they have ESET Smart Security which does all Malwarebytes does and more, however I'll download it and run it to rue malware out... you never know...

Expert Comment

ID: 39710175
What kind of traffic is it? I don't think Bigpond's modems support any kind of port mirroring/spanning so you might need to connect come workstations to a managed switch, or even a hub, to capture the traffic and see what is happening.

It may be completely innocent, just PCs all fetching an update for an application that's common to all machines. A packet capture should shed some light on what is going on.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 98

Expert Comment

by:John Hurst
ID: 39710188
You might try running Wireshark to see if you can determine where the traffic is coming from.

.... Thinkpads_User

Expert Comment

ID: 39710243
Hello Servant-Leggie

the following suggestions use windows 7 features

Maybe SNMP is an option, to help you identify where and when the events occur and possibly even address related to it.  If these addresses are the same you may then block them using windows firewall or whatever security package you plan to use.

How to turn snmp on in W7   read phrasants link on how to do!

how snmp works

once on you can manually locate and access the logs, or get an application to do it for you snmp-data-logger

How to Block Ports in Windows Firewall assuming ESET has not turned it off  

this tool is great for internal lan monitoring especially if you have bandwidth limitations and you need to find who is doing the downloading etc

Author Comment

ID: 39730672
Thanks guys for all your help. After trying Wireshark (but not really knowing what I was looking at), we tried to simply isolate parts of the network, disconnecting the network from the modem and recording when it was done. When we did this, I also power cycled the modem as this caused it to create a new session back at the ISP which then meant we could more accurately determine when traffic was being seen. As hoped, significant traffic was seen after the modem was power cycled and the network disconnected (at the same time), indicating that nothing on the network was responsible for the traffic, but it was the modem (or something else on their end).

The client has been trying to convey this to the ISP, but if ISPs in the USA are anything like those here is OZ, you'll know that you can spend many hours getting almost nowhere while talking to level 1 techs who don't have a clue what you're on about, but don't seem to want to escalate to a tech who understands the problem. C'mon ISPs, how hard can it be?!

Thanks for all your assistance, as well as putting up with my very tardy reply!

Author Comment

ID: 39730689
XGIS, your suggestion sounds awesome, but we had reached a conclusion around the time of your post. I'll be sure to try this out if the problem occurs again elsewhere.

thinkpads_user, MBAM didn't find anything, but we did work out what the issue was with a lot of similarly sized files being downloaded. It turns out that, with this particularly ISP (Telstra), they show a download in chunked file sizes. So, it you were downloading a 5GB file and they chunked at 1GB, for example, it would show 5 almost equally sized files, one after the other. Perhaps there's method to the madness, but I don't know why they'd do this.

Author Closing Comment

ID: 39730692
Of all suggestions, this was the one which pushed us most towards the troubleshooting method used, and subsequent solution found.
LVL 98

Expert Comment

by:John Hurst
ID: 39730699
@Servant-Leggie - Thanks for a very good update, and I was happy to help you with this.

.... Thinkpads_User

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question