General discussion
-
CreatorTopic
-
February 14, 2005 at 1:11 pm #2174810
Finding a Problem Computer
Lockedby snsavage · about 19 years, 1 month ago
The organization that I work for has been experiencing Internet problems over the past few months. Throughout the day the Internet slows to a crawl and is unusable. The problem is very periodic however. Our ISP stated that a computer on the network is sending out a large number of small packets that is overwhelling our upload bandwidth. We are worried that one of the computers has been taken over and is sending out spam. There are about 30 people in the office which makes finding the problem difficult. How should we go about finding where the packets are being sent from? Thanks.
Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
February 15, 2005 at 5:28 am #3348649
Reply To: Finding a Problem Computer
by bfilmfan · about 19 years, 1 month ago
In reply to Finding a Problem Computer
Download and scan all the systems with virus checkers and anti-spyware.
Microsoft’s Anti-Spyware is free and available here:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
-
February 15, 2005 at 8:17 am #3348561
Reply To: Finding a Problem Computer
by cg it · about 19 years, 1 month ago
In reply to Finding a Problem Computer
snort
you can analyze traffic on the LAN side at the uplink and find out which MAC address is sending out the packets
-
February 20, 2005 at 9:41 am #3347631
Reply To: Finding a Problem Computer
by sgt_shultz · about 19 years, 1 month ago
In reply to Finding a Problem Computer
wonder what exactly internet connection you have, pipe-wise. everybody plugging into switch which is plugged into dsl router-? you say your isp can tell you that you got bunches of small packets but can’t tell you what they are (like dns requests) or where they come from? lazy or too busy. i would call around, tell my tell of woe without rancor, ask for presales tech support, see if i could find a more helpful isp partner for my company. or politely ask for router support group at your dsl vendor (phone company), tell tell of woe with hope of getting pointed in right direction or any crumb of help they would throw to you. like hold hand while figure out snort. those guys first rate wonderul resource ususally free.
wonder what is the general state of your windows critical updates, your anti-virus your firewall(s) if any and your mal-ware scan-remove/block procedures. wonder why your isp didn’t mention any of this to you?
you say is very periodic. please define how periodic. are you logging it: date, time whatever elso you can catch? this could be big clue if you are like me and don’t crave getting down to packet level…
did this used to work fine. what has changed. you might have big list. windows updates, new computers, os updates…yes, as bfilm says. spam or virus or automatic updates for aim, realplayer, msn msngr, windows, you name it. be hopeful you find plenty of malware and no viruii.
see what capabilites you have for logging and/or firewalling in your router.
the clues sound to me like: large number of small packets and periodic. this must be exam question, eh? -
February 25, 2005 at 2:18 pm #3334799
Reply To: Finding a Problem Computer
by craig herberg · about 19 years, 1 month ago
In reply to Finding a Problem Computer
To find the problem computer is actually the easy part: Next time your network slows to a crawl, unplug your computers from the network, one at a time, until the problem goes away. The last one disconnected SHOULD be your problem computer. If the problem does not go away until ALL computers are disconnected, start reconnecting your computers in the same order you disconnected them (i.e., first disconnected is first reconnected, etc.) If the problem starts back up BEFORE they are ALL reconnected, you have either discovered problem computer #2 or a problem ISP.
You REALLY need to make sure that every computer is protected by current antivirus software, with definitions no more than a week old, personal firewall, such as Zonealarm Pro, and anti-spyware software, such as Webroot Spysweeper, with definitions updated at least weekly, and all the up-to-date Windows and Office security patches. A full virus and spyware scan must be done on each computer at least once a week.
Bandwidth may not be the only thing your company is losing.
Good luck.
Craig Herberg
-
March 2, 2005 at 10:40 am #3330199
Reply To: Finding a Problem Computer
by lmayeda · about 19 years, 1 month ago
In reply to Finding a Problem Computer
All of the answers above are good but in a work environment, it is difficult to get everyone to shut down at the same time and you may want to be less intrusive. If you have a managed switch, you should be able to monitor the individual ports and visually detect which port is the source of most of the traffic. If you don’t, you could watch the lights on the primary switch and see which ports seem to have major traffic. Understandably the port with the router and server(s) would be expected to have heavy traffic. Other ports may connect to secondary hubs/switches. By watching the lights you could at least narrow the field down to the more likely culprits. At this point you could disconnect a couple of PCs and see if traffic goes back to normal. Outside or spyware/viruses, heavy traffic can be caused by a defective network card or cable. In our case, I needed to reseat the network card in one PC and the problem disappeared. Note: Our ISP allows us to print graphs of our daily, weekly and monthly DSL usage. This often points out problems. A couple of times there was high traffic 24 hours a day even when the office literally shuts down at night and for the weekend. Other times, I’ve seen heavy traffic at 1:00am. Hope you find your problem.
-
March 15, 2005 at 10:40 am #3351984
Reply To: Finding a Problem Computer
by exnn · about 19 years ago
In reply to Finding a Problem Computer
Some routers will allow you to monitor NAT statistics, therefore you can look up for the computer that generates all that traffic in specific time. We had that problem and it was a virus on a computer, I was able to find which one this way.
Good luck
-
April 28, 2005 at 11:17 am #3262215
Reply To: Finding a Problem Computer
by suramya · about 18 years, 11 months ago
In reply to Finding a Problem Computer
We had the same problem with our net connection a couple of months ago and it turned out that our bind server was sending out huge amounts of data to every DNS server out there.
The best way to figure out which machine is causing problems is to install something like Etherape(http://etherape.sourceforge.net/) on your server and use it to monitor the traffic. Etherape shows each connection to the net as a unique line with its thickness showing how much data is being transfered and the color of the line tells you what kind of data it is.
You could also try using iftop (http://www.ex-parrot.com/~pdw/iftop/) which is a command line tool that displays bandwidth usage by hosts.
Hope this helps.
– Suramya
-
-
AuthorReplies