Constant Network Activity

Hi,

Can anyone help I am totally baffled by this one.

Recently a PC of mine on the home network died and needed a new motherboard CPU etc. in addition to a complete reinstallation of Windows XP professional, Office XP professional and my software development suite etc.

I have a broadband internet connection using a DSL504 router/switch and each PC on the network has its own installation of Norton Internet Security 2006.

In general I lock down each PC as tighlty as possible. All applications that access the internet are configured NOT to automatically update themselves! I do this so that if I do see any internet activety I know to get suspicious and investigate.

The PC that was rebuilt with a new motherboard is now accessing the LAN and internet constantly. I have tried un-installing as many applications as possible with no affect. Also I scanned the PC using NIS for internet applications and blocked them all (about 200 or so). This also does not stop this mysterious traffic.

I can tell that there is traffic because for each network connection present on the PC I have configured a notification to appear on the taskbar (left-hand side of the taskbar). When a connection becomes active an icon appears that shows the usual pair of PC's. When there is trafiic the PC's change colour etc.

I have also reset the router and configured it from scratch but the moment the connection is re-enabled there is traffic.

Can anyone suggest what may be accessing the internet which presumably is getting passed Norton Internet Security?

Traffic is bi-directional with approximate packet sizes of 8KB incomming and 4KB outgoing.

Finally I have run Ad-aware which turned up nothing except for one or two cookies (as usual) and also performed a cleanup of the PC using Secure Clean (White Canyon).

Regards BrokenPC

 

I would guess that what you are seeing is UPnP traffic on your LAN subnet.

 

Hi,

Thanks for the reply.

The UPnP is disabled according the XP-AntiSpy. I suspect, however, that some network service is causing this traffic as you suggested.

I have temporarily disabled the NIS firewall and installed Zone-Alarm which I also have running on one other machine. The constant internet activety has now stopped but I do not understand why.

Any ideas?

Regards brokenPC

 

. DHCP server/workstation broadcasts. These you cannot stop and do not want to.

. NETBIOS broadcasts. Since you do not have a local DNS server to resolve hostnames, you have to depend on NETBIOS. This is quite a "chatty" protocal. Since you just installed Zone Alarm, its defaults are to deny NETBIOS traffic. Of course, this also takes the computer off the network.

Google "xp packet sniffer "

There are several good freeware packet sniffers. Examine the traffic to identify its kind and source.

 

Hi,

Would it be possible to test your last theory by disabling both types of traffic just to prove that this is what is happening?

The really odd thing about all this is that it never did this before (unless I just didn't notice it). Generally I keep a keen eye on the traffic indicator and at the moment it just seems to happen constantly all day, rather than just the odd blast that I have seen in the past.

Regards BrokenPC.

 

. Set the PC to a static IP address, and a static DNS server address

That stops DHCP chatting.

. Turn off in the adapter properties, Internet Protocol TCP/IP, Properties, Advanced, WINS tab: "Use netbios over TCP/IP "
That stops NETBIOS chatter.

But personally I would "sniff" the traffic to identify its kind, source and destination.

 

Hi,

I did try to find a program that would identify network traffic, as you suggested, but did not find a lot. perhaps I did not search for the right thing.

You have kind of answered another question that was in the back of my head in your last reply. One of my other PC's on the network is a server which I am in the middle of configuring. From the start I gave it a fixed IP address which explains which I see less (inactive) traffic on this PC than others.

Could you suggest a suitable 'snffer' program that will identify inbound and outbound traffic from my PC?

Regards BrokenPC.

 

Ethereal
http://www.ethereal.com/

 

Hi,

Downloaded and installed Ethereal. I am pretty sure I tried this program out years ago when I first became interested in networks. I have taken a capture of a few seconds of this constant traffic I am seeing so much of, and now I would like to interpret the results.

Presumably subnet traffic would just be between my PC (192.168.0.4) and the DSL504 router (192.168.0.1). At the start of the capture this is exactly what I am seeing, traffic to/from the router. However, further on into the capture I am see IP addreses on the internet, for example 207.126.123.20 and 207.126.123.29 (both are www.about.com).

This is odd because I seem to remember being directed to this site recently (possibly today) whilst doing some googling.

Also 213.199.161.251 (???), 209.62.176.56 (web pages says it is a DoubleClick advertising server) and 81.23.243.151 (???) are there as well as others.

Would I be right to be concerned about this traffic? Perhaps I could post a part of the capture file contents for your comments?

Regards BrokenPC.

 

If you open a page that contains obvious ads, or a Forum in which keywords are automaticly highlighted in green or yellow and little notification tags appear on a hover, the site is using advertising material drawn from several known and large servers.

This is different from pop-ups, or malware. These servers hold and provide advertising material to service web sites that allow the content on the page.

You can block this traffic by making entries in your HOSTS file. There are safe sites that sponsor constantly updated HOSTS files for your use: http://www.mvps.org/winhelp2002/hosts.htm

Last note: any traffic with an IP of 192.168.0.x has to be from inside your LAN. These IANA private lan address ranges are not usable over the internet and would not be routed.

 

Hi,

Not sure what happend on the first Etherreal capture but all the captures I have taken since only include TCP packets between the PC and the router (192.168.0.x).

I did as you said an allocated a fixed IP/Mask and gateway for the PC and the constant traffic disappeared.

I would still like to understand the traffic that is occuring. It almost seems as though the same sequence of network accesses are being repeated indefinitely!

Regards BrokenPC.

 

Hi,

There was one last thing (for today anyway) that I would like to clear up. I did investigate this quite some time ago but without a lot of success.

When I configure the PC to get its IP address from the router via DHCP I have noticed that on the Network Connections page there is an additional item under the heading Internet Gateway.

When I configure the PC with a fixed IP address this entry is not there at all.

I believe also that when using Zone-Alarm instead of NIS firewall the entry is also not present.

When the entry is present is does not appear to have any properties at all. What is this for?

Regards BrokenPC

 

The "Internet Gatway" is your router.

If you permit UPnP and SSDP traffic between the router and clients, the Icon will appear.

By clicking the icon you can reach the router setup page, and other resources made available by the router. If either UPnP or SSDP traffic is barred by a firewall, the icon cannot appear.

 

Hi,

It would appear that the constant internet traffic is as a result of enabling the Internet Gateway notification icon (IE Internet Connection|Properties|Show icon in notification area when connected). When checked the icon appears and the traffic starts. Both this icon and the LAN icon constantly flash to indicate the traffic. Switch the notification off, one icon dissappears and the LAN icon stops flashing (or at least only occasionally as expected).


Presumably this is correct behaviour but why is it happening?

Regards BrokenPC

 

Have you scanned for any spyware or malware at all ?

 

Hi,

Yes this was the first thing I did. I used AdAware and also scanned with Norton Anti-virus. Nothing found.

Regards BrokenPC

 

If enabled, it will broadcast poll your network regularly to identify other UPnP devices. What you are seeing is UPnP and SSDP broadcast traffic. This is perfectly normal behavior and perfectly harmless. This was the point I tried to make to you in my first reply in this thread.

To disable:
Start, Network Connections, Advanced tab, Optional networking components. Uncheck the 'Internet Gate Device Discovery and Control client' and uncheck the 'UPnP discovery client'

Why you would feel compelled to do so still somewhat baffles me. Under Windows Networking these two client services are going to grow into key elements. Vista, for example, uses these two client services and not NETBIOS to resolve hostnames. If you begin adding Vista workstations to your LAN, you will only have to revert the changes you are now making.

 

Hi,

For me each PC on the network is pretty much locked down and also behind a router firewall. In general I do not allow any application to access the internet without me initiating it. This means that all automatic updates are switched off (and performed manually on a regular basis) this includes Windows XP etc.

Doing things this way may seem a little odd BUT if you keep a keen eye on you LAN notification icon you get to know when traffic is occuring that shouldn't be. Or at least may need further investigation.

In general my network traffic is quite and I would only expect it to start up when I initiate it.

UPNP was already disable because of security issues associated with it. Regarding the other discovery service I have two choices. I can leave it enabled as it was and not enable the notification icon or disable it to make the Internet Connection (the router) icon disappear from the network devices list. Either way my network becomes quiet again - which really is my only objective here.

Regards BrokenPC

 

What security issues?

 

Hi,

I have read a number of articles regarding this network service, including the following.

http://www.grc.com/unpnp/unpnp.htm

Looking at it now, opinions may have changed, however, I do not need this service at the moment and if I ever do I will need to look at it further then.

Regards BrokenPC