General discussion

Locked

Finding a Problem Computer

By snsavage ·
The organization that I work for has been experiencing Internet problems over the past few months. Throughout the day the Internet slows to a crawl and is unusable. The problem is very periodic however. Our ISP stated that a computer on the network is sending out a large number of small packets that is overwhelling our upload bandwidth. We are worried that one of the computers has been taken over and is sending out spam. There are about 30 people in the office which makes finding the problem difficult. How should we go about finding where the packets are being sent from? Thanks.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Finding a Problem Compute ...

Download and scan all the systems with virus checkers and anti-spyware.

Microsoft's Anti-Spyware is free and available here:

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Collapse -

by CG IT In reply to Finding a Problem Compute ...

snort

you can analyze traffic on the LAN side at the uplink and find out which MAC address is sending out the packets

Collapse -

by sgt_shultz In reply to Finding a Problem Compute ...

wonder what exactly internet connection you have, pipe-wise. everybody plugging into switch which is plugged into dsl router-? you say your isp can tell you that you got bunches of small packets but can't tell you what they are (like dns requests) or where they come from? lazy or too busy. i would call around, tell my tell of woe without rancor, ask for presales tech support, see if i could find a more helpful isp partner for my company. or politely ask for router support group at your dsl vendor (phone company), tell tell of woe with hope of getting pointed in right direction or any crumb of help they would throw to you. like hold hand while figure out snort. those guys first rate wonderul resource ususally free.
wonder what is the general state of your windows critical updates, your anti-virus your firewall(s) if any and your mal-ware scan-remove/block procedures. wonder why your isp didn't mention any of this to you?
you say is very periodic. please define how periodic. are you logging it: date, time whatever elso you can catch? this could be big clue if you are like me and don't crave getting down to packet level...
did this used to work fine. what has changed. you might have big list. windows updates, new computers, os updates...yes, as bfilm says. spam or virus or automatic updates for aim, realplayer, msn msngr, windows, you name it. be hopeful you find plenty of malware and no viruii.
see what capabilites you have for logging and/or firewalling in your router.
the clues sound to me like: large number of small packets and periodic. this must be exam question, eh?

Collapse -

by Info-Safety, LLC In reply to Finding a Problem Compute ...

To find the problem computer is actually the easy part: Next time your network slows to a crawl, unplug your computers from the network, one at a time, until the problem goes away. The last one disconnected SHOULD be your problem computer. If the problem does not go away until ALL computers are disconnected, start reconnecting your computers in the same order you disconnected them (i.e., first disconnected is first reconnected, etc.) If the problem starts back up BEFORE they are ALL reconnected, you have either discovered problem computer #2 or a problem ISP.

You REALLY need to make sure that every computer is protected by current antivirus software, with definitions no more than a week old, personal firewall, such as Zonealarm Pro, and anti-spyware software, such as Webroot Spysweeper, with definitions updated at least weekly, and all the up-to-date Windows and Office security patches. A full virus and spyware scan must be done on each computer at least once a week.

Bandwidth may not be the only thing your company is losing.

Good luck.

Craig Herberg

Collapse -

by lmayeda In reply to Finding a Problem Compute ...

All of the answers above are good but in a work environment, it is difficult to get everyone to shut down at the same time and you may want to be less intrusive. If you have a managed switch, you should be able to monitor the individual ports and visually detect which port is the source of most of the traffic. If you don't, you could watch the lights on the primary switch and see which ports seem to have major traffic. Understandably the port with the router and server(s) would be expected to have heavy traffic. Other ports may connect to secondary hubs/switches. By watching the lights you could at least narrow the field down to the more likely culprits. At this point you could disconnect a couple of PCs and see if traffic goes back to normal. Outside or spyware/viruses, heavy traffic can be caused by a defective network card or cable. In our case, I needed to reseat the network card in one PC and the problem disappeared. Note: Our ISP allows us to print graphs of our daily, weekly and monthly DSL usage. This often points out problems. A couple of times there was high traffic 24 hours a day even when the office literally shuts down at night and for the weekend. Other times, I've seen heavy traffic at 1:00am. Hope you find your problem.

Collapse -

by exNN In reply to Finding a Problem Compute ...

Some routers will allow you to monitor NAT statistics, therefore you can look up for the computer that generates all that traffic in specific time. We had that problem and it was a virus on a computer, I was able to find which one this way.

Good luck

Collapse -

by Suramya In reply to Finding a Problem Compute ...

We had the same problem with our net connection a couple of months ago and it turned out that our bind server was sending out huge amounts of data to every DNS server out there.

The best way to figure out which machine is causing problems is to install something like Etherape(http://etherape.sourceforge.net/) on your server and use it to monitor the traffic. Etherape shows each connection to the net as a unique line with its thickness showing how much data is being transfered and the color of the line tells you what kind of data it is.

You could also try using iftop (http://www.ex-parrot.com/~pdw/iftop/) which is a command line tool that displays bandwidth usage by hosts.

Hope this helps.

- Suramya

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums