How can I find which PC is sending a lot of data to the Internet?
I have a network with a DrayTek router connecting it to the Internet.
My ISP tells me that I am sending up to 600Mb / hour up to the Intenet at times. I do not use cloud backup or storage. I am concerned that one of my PCs may have been compromised, causing this.
I have installed SmartMonitor from DrayTek, and set the router up to do port mirroring as per their instructions, mirroring all LAN ports and the WAN side too.
Looking at the SmartMonitor report, I can only see reports on downloaded data, so this isn't helping me to diagnose the large amount of uploads.
Can anyone suggest a better way to monitor this?
Thanks,
Richard
My ISP tells me that I am sending up to 600Mb / hour up to the Intenet at times. I do not use cloud backup or storage. I am concerned that one of my PCs may have been compromised, causing this.
I have installed SmartMonitor from DrayTek, and set the router up to do port mirroring as per their instructions, mirroring all LAN ports and the WAN side too.
Looking at the SmartMonitor report, I can only see reports on downloaded data, so this isn't helping me to diagnose the large amount of uploads.
Can anyone suggest a better way to monitor this?
Thanks,
Richard
That's 10Mbpm or 167Mbps. What's the big deal? Even if you meant Bytes (B) instead of bits (b), that would still only be around 1700Mbps which is hardly notable. Perhaps clarification is in order?
ASKER
In reply to Fred, I should have added to my original post that these levels of upload are going on throughout the night when nobody is in (all computers are left on,) I can understand that Windows updates etc might well go on overnight, explaining levels of download, but I wouldn't have thought that 600 Mb per hour should be uploaded when nobody is using their PC, Do you agree?
Richard
Richard
ASKER
Does any one have any experience of using WireShark to do this, or know of a how-to guide?
Windows 10 computers you can limit the upload ability for Windows updates. In case that is your problem. How many computers with Windows 10 are on the network?
If you have a capable (SNMP) switch you can install Spice Works Network Monitor and see which computer(s) are uploading all of the data. You could even monitor directly from each PC, but the switch is the quickest and will probably give you the info you need.
If you have a capable (SNMP) switch you can install Spice Works Network Monitor and see which computer(s) are uploading all of the data. You could even monitor directly from each PC, but the switch is the quickest and will probably give you the info you need.
Wireshark is a great tool, but not what you need. Atleast not yet.
ASKER
Thanks for your comments, Jason. Surely Windows updates don't involve much upload, mainly download. I can't see the 100's on Mb per hour of uploads being down to Windows Update, or am I mistaken.
I would look for installations of things like Carbonite that can be set to do their work during off hours.
Still, the levels are pretty low - almost not worth a remark. What *is* the specified upload SPEED that you are quoted by the ISP?
Still, the levels are pretty low - almost not worth a remark. What *is* the specified upload SPEED that you are quoted by the ISP?
If you feel the need to use Wireshark then here are a couple of ways:
If you have a managed switch with SNMP then that could make things easier to visualize.
Point the SNMP to a selected workstation - I always use the IP address.
Install PRTG (the free version) on the workstation and let it find the switch.
I usually add SNMP Traffic but Auto Discovery should work as well.
Then you can see the traffic on all the switch ports and pick the one with the traffic you're seeing.
IF each port is dedicated to a computer then you'll see which computer is involved.
Then maybe no Wireshark at all.
Otherwise, with Wireshark, insert a HUB (not a switch) in-line with a main connection (such as the gateway connection). A 100Mbps hub may slow things down during the day but shouldn't affect the night time traffic.
Then you plug a workstation or laptop with Wireshark installed into the hub and monitor the traffic.
There are a number of good tutorials on Wireshark on the web. But, the menus give a pretty good way to see things like this. You can see which IP addresses have the most traffic.
BTW: You didn't address the relative speed or the advertised speed questions yet did you?
If you have a managed switch with SNMP then that could make things easier to visualize.
Point the SNMP to a selected workstation - I always use the IP address.
Install PRTG (the free version) on the workstation and let it find the switch.
I usually add SNMP Traffic but Auto Discovery should work as well.
Then you can see the traffic on all the switch ports and pick the one with the traffic you're seeing.
IF each port is dedicated to a computer then you'll see which computer is involved.
Then maybe no Wireshark at all.
Otherwise, with Wireshark, insert a HUB (not a switch) in-line with a main connection (such as the gateway connection). A 100Mbps hub may slow things down during the day but shouldn't affect the night time traffic.
Then you plug a workstation or laptop with Wireshark installed into the hub and monitor the traffic.
There are a number of good tutorials on Wireshark on the web. But, the menus give a pretty good way to see things like this. You can see which IP addresses have the most traffic.
BTW: You didn't address the relative speed or the advertised speed questions yet did you?
Windows 10 uses a different approach to updates. It is P2P technology driven and yes it actually uploads to others on the internet.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
You can download WireShark and basically do the same thing you did with SmartMonitor (I'm not familiar with this tool) but look for source IP addresses for the downloads.
Also, if you have an internal mail server, double-check that there's not an open relay and that the server isn't being used as a spam cannon.