identifying cause of unexplained network traffic
ICMP, Network performance, Network performance management, Network performance monitoring, Network traffic
Our organization's firewall has been reporting some curious network activity coming from a few specific computers on our network. The source always comes from the same dozen or so computers on our network, and the destination is always the same computer on the domain. And it always follows the same pattern. First an ICMP ping request is sent from one of the computers, then 5 seconds later a "microsoft-ds" service sends packets to the same destination, and then 5 seconds later the "nbname" service sends packets to the same destination. Currently our firewall has a rule to block and log all traffic going to this destination computer (since there shouldn't be any), and from the logs I can see that each source computer repeats this pattern roughly every 30-50 minutes. This unexplained network traffic began almost years ago and has been continuous ever since.
I have done the following troubleshooting to date. I used WireShark to capture packets from one of the source computers over the weekend so I could analyze the data being sent. I focused on ICMP since that is the first protocol used, and verified that the data being sent was no different than an ordinary ping request. Also I swapped out one of the source computers and replaced it with another computer having the same name. The replaced computer no longer sends traffic to the destination computer so I suspect whatever is executing the data transmissions is running from the source computers themselves. McAfee AntiVirus is running on these source computers and nothing is being reported.
So I am wondering is there a way I can identify what is causing these computers to send this harmless traffic at random intervals? And FYI, I have administrative access to the source computers, but not the destination computer.
Software/Hardware used:
CheckPoint Firewall
Software/Hardware used:
CheckPoint Firewall
ASKED:
December 1, 2009 7:52 PM
UPDATED:
September 11, 2012 3:54 PM
Answer Wiki:
To me it sounds like normal netbios browser election traffic. Try turning off netbios over tcp/ip if this concerns you and there is no ill-effect on the clients' ability to perform standard network tasks.
You can also use Sysinternals Procmon tool to look at the running processes on these client computers and see which process has a tcp connection (3-way handshake completed) to the destination of interest.
Also, <a href="http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx">Sysinternals TCPView</a> could help you identifying the process that is generating such traffic.
---
Exactly! I would have added "on client machine, scan registry for IP address of destination machine to confirm," but I'd suspect an annoying NB browser election, not malware. Fix with client reconfiguration.
To see all answers submitted to the Answer Wiki: View Answer History.
That sounds like the exact thing it is.
Try disabling the browser service on one of the machines and see if that stops the machine from sending the traffic.
Thanks for the helpful suggestions guys. I just wanted to provide an update on this issue. Rklanke was correct: disabling netbios over tcp/ip puts a stop to this network traffic, however turning off the computer browser service does not stop the network traffic. Since we do not use netbios on our network, this is a feasible solution to the problem but it still does not answer the question as to why the problem is happening in the first place which is what I am hoping to understand. This network traffic is only occuring on about 20 machines out of around the 500 that are on our network segment, even though they all have netbios over tcp/ip enabled by default. I’ve tried searching the registry on one of these computers for both the destination name and IP address, but I was unable to find it. Right now I am assuming it is computer browser election traffic, but since the network traffic persists after turning off the computer browser service, I wonder if it might be caused by something else. If anyone wants to take a stab at this and needs additional information, feel free to ask.