Quickly solve PC problems with TechRepublic’s Quick Reference: PC Troubleshooting Pak. The set of four durable laminated charts keeps proven solutions for troubleshooting PC hardware, networking, Windows desktop, and security issues at your fingertips.

Imagine that one afternoon you start getting phone calls
from users complaining of extremely slow network response time. You aren’t
doing anything out of the ordinary that might cause things to run slowly, so
you decide to get out the protocol analyzer and investigate the problem. When
you do, you discover a flood of packets coming from one specific PC. The
question now is, why?

On one hand, there are lots of different hardware problems
that can cause a slowdown. I’ve seen malfunctioning network cards just spew out an
endless stream of junk packets. I’ve also seen PCs connected to faulty network
cables that generate excessive retry packets. On the other hand, the user of
the PC in question might be doing something disruptive or may have even picked
up some sort of Trojan that’s designed to flood the network with traffic. So
how do you tell the difference?

One way is to pick up the phone and ask the user what he or
she is doing right now. There’s a slim chance that the user will say something
like, “I’m e-mailing a 50-MB video file to 500 friends.” More than
likely, though, the user won’t tell you anything useful. Even so, I still recommend
making the phone call because, if the user is doing something disruptive, he or
she might stop after you hang up the phone—for fear of being caught. This saves
you from having to investigate the problem.

For this article, let’s assume that the user tells you that
nothing unusual is going on, and that the strange behavior doesn’t go away
after you hang up the phone. How do you figure out what’s really happening?

Check for loose connections

If you happen to be in close proximity to the machine in
question, I recommend making a quick trip to check its network cable. Try
pushing the RJ-45 connector onto the network cable more tightly,
and see if there is play in the connector. When you think of a loose RJ-45
connector, it’s easy to think of a connection that doesn’t work at all.
However, I’ve seen countless examples of a loose connector making partial
contact with the cable, causing the machine to flood the network with retries.

One of the offices where I used to work was especially
notorious for having this problem. Many of the employee’s jobs required them to
store lots of data on paper. Since storage space was tight, several employees
would box up forms and place them under their desks. Often the boxes would sit
on top of the network cable. Over time, the action of kicking the boxes or
stacking additional boxes would pull on the network cable, causing it to become
loose from the RJ-45 connector. If you work in such an environment, this should
be one of the first things you check.

Look for malformed packets

Take another look at the data you captured earlier from your
protocol analyzer. You can learn a lot about the problem by examining the
captured packets. For example, many protocol analyzers have a mechanism that
allows you to count malformed packets. While it’s normal to have the occasional
malformed packet, there’s no way that a healthy machine should be spewing out large
numbers of them. Generally, if a machine is generating lots of malformed
packets, one of two things is occurring: Either the network card is
malfunctioning, or there’s a Trojan infecting the machine and it’s trying to
use malformed packets in a denial of service attack against your network.

Of these two scenarios, a malfunctioning network card is
much more likely to be the culprit than a Trojan—assuming you have good network
security in place. However, there are ways of finding out which is the culprit.
One way is to make a Remote
Installation Service
(RIS) boot disk and boot the machine from it. When you
boot your machine from a RIS boot disk, it will try to attach to a RIS server
and allow you to remotely install an operating system.

For this particular test, you aren’t interested in remotely
installing an operating system. Instead, the RIS boot disk just provides you
with a way of booting a network requestor outside of the operating system. When
the machine has been booted from the RIS boot disk, you can check the protocol
analyzer again. If the machine is still sending out lots of malformed packets,
you can be sure that the network card is either bad or needs to be reseated. If
the malformed packets stop, then something in the operating system is causing
the malformed packets. If this is the case, you should scan the machine with a
pestware removal tool such as Lavasoft’s
Ad-Aware
.

Check the port number

What if the machine is flooding the network with legitimate
packets rather than malformed packets? You can use information within the
packet to help figure out what’s happening. For example, if you notice that most
of the packets are being sent through ports ranging from 550 to 5503, there’s a
good chance that the user has installed Hot Line, a peer-to-peer file sharing
program. If the data is flowing across port 5631, the user probably has a PC
Anywhere session going on. If you go to the Internet
Assigned Numbers Authority Web site
, you can find a list of the various
ports.

The port number isn’t your only clue to determining the
source of the problem. Check out the destination address. Is it internal or
external? If the address is internal, it might be fairly easy to figure out who
the machine is trying to communicate with and what the user is trying to do. If
the address is external, you may have to use the port number to track down the trouble
spot.

Monitor activity as a last resort

If you’ve determined that the issue is definitely software-related,
but you aren’t sure if the user is doing something or if a Trojan has made it
into the system, the best advice I can give you is to keep an eye on the user.
You might try using a remote control session to monitor the user’s activity.
There are several good programs out there that will allow you to watch users
without them knowing that they’re being watched.

If the user doesn’t seem to be doing anything wrong, you’ll
probably have to scan the machine for viruses and other forms of malware to
resolve the problem. If you suspect that a virus may be to blame, it’s
important to take care of the problem quickly before it spreads to other PCs.