Solved

high bandwidth between two machines on WAN

Posted on 2014-10-17
15
206 Views
Last Modified: 2014-10-18
I have two machines on separate subnets (site to site WAN) that have a constant high send from one to receive at the other bandwidth usage. One is a server that is steadily sending at 3Mb and the workstation on the remote/other side of the wan is receiving.  No disk usage. No high CPU. I've run sysinternals ProcMon shows both machines normal, or rather, nothing is standing out.  Just finished full scan of both machines. Other than a couple of deleted cookie's both machines are clean.  I'm at a loss as to see "what" is being sent, if anything. No data is changing on the receiving (disk usage is not going up) end and the stream is steady sending from one side and steady receiving on the other.
I'm not sure where to post this question so if I need to repost, please tell me where it should go.
I'm open to all thoughts/suggestions.
0
Comment
Question by:davebird
  • 8
  • 6
15 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 40387799
Use WIreshark or CommView (Tamosoft) on the one of the machines and see what packets and ports are being used. It should tell the other IP address and what ports are in used. CommView can display the packets or information about them.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40387833
As John said, use a network protocol analyzer to see what is going on.  Also ensure that there no drives mapped and if there are, ensure indexing service is not trying to index mapped drives.
0
 

Author Comment

by:davebird
ID: 40387862
I was collecting with Capsa demo and  I have port mirroring on to the NIC I'm collecting from. It found the two IP's and showed port 445 as the culprit.  Commview did not show remote IP, just local.  However, on the collection machine that Commview is running on, steady and constant traffic is reporting from the Sending server to the Commview machine on port 445.  Maybe a virus or exploit on that machine, but scanner didn't find it.
I changed the IP on the remote machine for giggles.  Traffic stopped for about 4 or 5 minutes and then it started sending again the new IP on the remote.  
Am I not following your instructions properly or something deeper I can look at?
0
 

Author Comment

by:davebird
ID: 40387865
no Mapped drives or portable drives attached.  Still high send/receive.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40387867
Port 445 is Microsoft-DS Active Directory, Windows shares. So it is probably just chatting activity between systems. Possibly a database on one end and a client on the other. It may be nothing to be concerned about.

Check what applications are on the machines.
0
 

Author Comment

by:davebird
ID: 40387872
I looked up MS-DS and agree but what application(s) would I be looking for? Process monitor is not helping. Nothing appears "out" of line.  transmission is too steady and never ends.  I can't imagine any application needing to chat at 3Mbps constantly.
0
 

Author Comment

by:davebird
ID: 40387873
Should my focus be on the sending or receiving machine?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 90

Expert Comment

by:John Hurst
ID: 40387874
QuickBooks could cause this kind of traffic. Any client - server database.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40387875
You might put a packet sniffer in each machine and see if you can determine traffic patterns.
0
 

Author Comment

by:davebird
ID: 40387876
I'll put commview on both machines and take a looksey.
0
 

Author Comment

by:davebird
ID: 40387887
Same information. microsoft-ds screaming "something" at the receiving machine.  Zooming in just shows SMB host to destination.
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 40387893
I don't know your applications but it sure looks like one is talking to the other.

Is one machine having difficulty getting Windows Updates or Anti Virus updates? Your server could be sending these out.
0
 

Author Comment

by:davebird
ID: 40387900
Sir, you must be correct.  When I log out of the machine, traffic is normal. Login and 15 - 45 seconds later, heavy traffic.  I'll low tech it, and go one application at a time. Thank you. I will let you know what I find.
0
 

Author Closing Comment

by:davebird
ID: 40387928
Offline files service is/was the culprit.  You were spot on sir!  Thank you.  I'll figure out why/what is causing the service to run amuck.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40388621
@davebird  - Thank you for the update. I was happy to help and I am glad you found the culprit.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now