Our organization's firewall has been reporting some curious network activity coming from a few specific computers on our network. The source always comes from the same dozen or so computers on our network, and the destination is always the same computer on the domain. And it always follows the same pattern. First an ICMP ping request is sent from one of the computers, then 5 seconds later a "microsoft-ds" service sends packets to the same destination, and then 5 seconds later the "nbname" service sends packets to the same destination. Currently our firewall has a rule to block and log all traffic going to this destination computer (since there shouldn't be any), and from the logs I can see that each source computer repeats this pattern roughly every 30-50 minutes. This unexplained network traffic began almost years ago and has been continuous ever since.
I have done the following troubleshooting to date. I used WireShark to capture packets from one of the source computers over the weekend so I could analyze the data being sent. I focused on ICMP since that is the first protocol used, and verified that the data being sent was no different than an ordinary ping request. Also I swapped out one of the source computers and replaced it with another computer having the same name. The replaced computer no longer sends traffic to the destination computer so I suspect whatever is executing the data transmissions is running from the source computers themselves. McAfee AntiVirus is running on these source computers and nothing is being reported.
So I am wondering is there a way I can identify what is causing these computers to send this harmless traffic at random intervals? And FYI, I have administrative access to the source computers, but not the destination computer.
December 1, 2009 7:52 PM
September 11, 2012 3:54 PM