identifying cause of unexplained network traffic

15 pts.
Tags:
ICMP
Network performance
Network traffic
Our organization's firewall has been reporting some curious network activity coming from a few specific computers on our network.  The source always comes from the same dozen or so computers on our network, and the destination is always the same computer on the domain.  And it always follows the same pattern.  First an ICMP ping request is sent from one of the computers, then 5 seconds later a "microsoft-ds" service sends packets to the same destination, and then 5 seconds later the "nbname" service sends packets to the same destination.  Currently our firewall has a rule to block and log all traffic going to this destination computer (since there shouldn't be any), and from the logs I can see that each source computer repeats this pattern roughly every 30-50 minutes.  This unexplained network traffic began almost years ago and has been continuous ever since. I have done the following troubleshooting to date.  I used WireShark to capture packets from one of the source computers over the weekend so I could analyze the data being sent.  I focused on ICMP since that is the first protocol used, and verified that the data being sent was no different than an ordinary ping request.  Also I swapped out one of the source computers and replaced it with another computer having the same name.  The replaced computer no longer sends traffic to the destination computer so I suspect whatever is executing the data transmissions is running from the source computers themselves.  McAfee AntiVirus is running on these source computers and nothing is being reported. So I am wondering is there a way I can identify what is causing these computers to send this harmless traffic at random intervals?  And FYI, I have administrative access to the source computers, but not the destination computer.

Software/Hardware used:
CheckPoint Firewall

Answer Wiki

Thanks. We'll let you know when a new response is added.

To me it sounds like normal NetBIOS browser election traffic. Try turning off netbios over tcp/ip if this concerns you and there is no ill-effect on the clients’ ability to perform standard network tasks.

You can also use Sysinternals Procmon tool to look at the running processes on these client computers and see which process has a tcp connection (3-way handshake completed) to the destination of interest.

Also, Sysinternals TCPView could help you identifying the process that is generating such traffic.

Exactly! I would have added “on client machine, scan registry for IP address of destination machine to confirm,” but I’d suspect an annoying NB browser election, not malware. Fix with client reconfiguration.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Denny Cherry
    That sounds like the exact thing it is. Try disabling the browser service on one of the machines and see if that stops the machine from sending the traffic.
    66,360 pointsBadges:
    report
  • Frugal
    Thanks for the helpful suggestions guys. I just wanted to provide an update on this issue. Rklanke was correct: disabling netbios over tcp/ip puts a stop to this network traffic, however turning off the computer browser service does not stop the network traffic. Since we do not use netbios on our network, this is a feasible solution to the problem but it still does not answer the question as to why the problem is happening in the first place which is what I am hoping to understand. This network traffic is only occuring on about 20 machines out of around the 500 that are on our network segment, even though they all have netbios over tcp/ip enabled by default. I've tried searching the registry on one of these computers for both the destination name and IP address, but I was unable to find it. Right now I am assuming it is computer browser election traffic, but since the network traffic persists after turning off the computer browser service, I wonder if it might be caused by something else. If anyone wants to take a stab at this and needs additional information, feel free to ask.
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following