PC using port 445 uses most bandwidth on WAN

Our company has 7 sites. Each site has it's own AD server.  Each AD server replicates with our data center.  I have a PC that when it logs on it goes to another site and accesses info on it's AD server. It uses source port 445 and destination port of 63102.    We have McAfee and I've scanned it looking for virus' (nothing there).  This PC doesn't come on that often but when it does it hammers our WAN for about 10-15 minutes then it settles down.  The source site has a T1 while the remote site has 10MB connection. Any idea of what it is trying to do?
Daves166Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
"Source port 445" is suspicious, because this needs to be the destination port. So it looks like the remote site gets CIFS (file system) info from that machine.
RantCanSr. Systems AdministratorCommented:
Download wireshark and mirror that port. You need to capture the packets as they are flooding your connection. How are you routing from the remote site? You may be able to configure your router to capture the traffic for you. 445 is a legit windows port for SMB, but if you do not expect the traffic, the machine in question may be already owned. Do a rootkit scan with not McAfee and see what you come up with.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daves166Author Commented:
Qlemo,
In my software it says Source port. But that may actually be the destination because of the circuit I was looking at.  I'll have to look at what CIFS info it is looking for on the far server
Daves166Author Commented:
RantCan,
I'll have to get wireshark and look at the traffic.  I haven't used it very much so I'll try and muddle through the program.  We ran a rootkit and every other program McAfee had for us.  They all came back clean.
RantCanSr. Systems AdministratorCommented:
Roger that. You might try a different A/V just to be sure.

https://wiki.wireshark.org/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.