?
Solved

high bandwidth between two machines on WAN

Posted on 2014-10-17
15
Medium Priority
?
216 Views
Last Modified: 2014-10-18
I have two machines on separate subnets (site to site WAN) that have a constant high send from one to receive at the other bandwidth usage. One is a server that is steadily sending at 3Mb and the workstation on the remote/other side of the wan is receiving.  No disk usage. No high CPU. I've run sysinternals ProcMon shows both machines normal, or rather, nothing is standing out.  Just finished full scan of both machines. Other than a couple of deleted cookie's both machines are clean.  I'm at a loss as to see "what" is being sent, if anything. No data is changing on the receiving (disk usage is not going up) end and the stream is steady sending from one side and steady receiving on the other.
I'm not sure where to post this question so if I need to repost, please tell me where it should go.
I'm open to all thoughts/suggestions.
0
Comment
Question by:davebird
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40387799
Use WIreshark or CommView (Tamosoft) on the one of the machines and see what packets and ports are being used. It should tell the other IP address and what ports are in used. CommView can display the packets or information about them.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40387833
As John said, use a network protocol analyzer to see what is going on.  Also ensure that there no drives mapped and if there are, ensure indexing service is not trying to index mapped drives.
0
 

Author Comment

by:davebird
ID: 40387862
I was collecting with Capsa demo and  I have port mirroring on to the NIC I'm collecting from. It found the two IP's and showed port 445 as the culprit.  Commview did not show remote IP, just local.  However, on the collection machine that Commview is running on, steady and constant traffic is reporting from the Sending server to the Commview machine on port 445.  Maybe a virus or exploit on that machine, but scanner didn't find it.
I changed the IP on the remote machine for giggles.  Traffic stopped for about 4 or 5 minutes and then it started sending again the new IP on the remote.  
Am I not following your instructions properly or something deeper I can look at?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:davebird
ID: 40387865
no Mapped drives or portable drives attached.  Still high send/receive.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40387867
Port 445 is Microsoft-DS Active Directory, Windows shares. So it is probably just chatting activity between systems. Possibly a database on one end and a client on the other. It may be nothing to be concerned about.

Check what applications are on the machines.
0
 

Author Comment

by:davebird
ID: 40387872
I looked up MS-DS and agree but what application(s) would I be looking for? Process monitor is not helping. Nothing appears "out" of line.  transmission is too steady and never ends.  I can't imagine any application needing to chat at 3Mbps constantly.
0
 

Author Comment

by:davebird
ID: 40387873
Should my focus be on the sending or receiving machine?
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40387874
QuickBooks could cause this kind of traffic. Any client - server database.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40387875
You might put a packet sniffer in each machine and see if you can determine traffic patterns.
0
 

Author Comment

by:davebird
ID: 40387876
I'll put commview on both machines and take a looksey.
0
 

Author Comment

by:davebird
ID: 40387887
Same information. microsoft-ds screaming "something" at the receiving machine.  Zooming in just shows SMB host to destination.
0
 
LVL 97

Accepted Solution

by:
Experienced Member earned 2000 total points
ID: 40387893
I don't know your applications but it sure looks like one is talking to the other.

Is one machine having difficulty getting Windows Updates or Anti Virus updates? Your server could be sending these out.
0
 

Author Comment

by:davebird
ID: 40387900
Sir, you must be correct.  When I log out of the machine, traffic is normal. Login and 15 - 45 seconds later, heavy traffic.  I'll low tech it, and go one application at a time. Thank you. I will let you know what I find.
0
 

Author Closing Comment

by:davebird
ID: 40387928
Offline files service is/was the culprit.  You were spot on sir!  Thank you.  I'll figure out why/what is causing the service to run amuck.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40388621
@davebird  - Thank you for the update. I was happy to help and I am glad you found the culprit.
0

Featured Post

Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question