Home > IT Answers > Microsoft Windows > VMware: Spurious http traffic
Help

Question

  Asked: Jun 27 2005   6:51 AM GMT
  Asked by: hedgehog

VMware: Spurious http traffic


Desktops, Operating system platforms, Hardware, Servers, Security, Network security, Firewalls, VPN, Intrusion management, Incident response, Forensics, Wireless, Administration, Product evaluation, Security Program Management, Compliance, Risk management, CRM, Policies, Disaster Recovery, DataCenter, Desktop management applications

Hi folks,

Since I installed VMware in my laptop (to be able to demo some products while on the field), I have noticed in the firewall logs that my laptop is sending an awful lot of http traffic (tcp/80). I use a squid proxy server integrated in the firewall and (valid) web traffic needs to go through a different port. So when I see blocked port 80 requests in the firewall logs, I worry. It's usually something misconfigured, but also could be backdoors or esp adware/spyware.. I have run MS-AntiSpyware and found nothing suspicious. I also use Kaspersky Anti-virus with the additional spyware bases and again found (or let through) anything suspicious.
VMware (v4.5.2-build 8848) virtual NIC is configured on Bridged mode. Funny thing is that it happens even with VMware not running (i.e. virtual machines powered off), although I have noticed three VMware processes running always (VMware NAT Service, VMware DHCP Service and VMware Authorization Service). The virtual OS I have installed is WinXP Pro SP2 with all patches. The host OS is also WinXP Pro SP2 with all patches.

It may not be related at all with VMware, but I would appreciate if any of you have experienced a similar problem and what solution you've found (short of uninstalling VMware, that is :-)

Cheers

Hedgehog.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Jun 27 2005  9:13 AM GMT  by JeffJAG




This sounds similar to what I have seen on my VMWare -- not exactly, but similar.

I was seeing lots of dropped port 137 traffic for addresses in the 192.168.x.x range, and thought we had a misconfigured PC on our network with some default IP address. I finally realized that VMWare configures a couple of virtual network adapters in Windows using the 192.168.x.x private range for its virtual networks. The rogue PC was mine!

This broadcast traffic was being sent out all of the adapters (real andvirtual), and the server was trying to respond, but it was going to the gateway on our network (firewall/router) and was being dropped. As soon as I disabled the virtual adapters in Network Connections, the dropped traffic stopped.

I'm not sure if the port 80 traffic you are seeing is in the same vein or not. Hope this helps a little.
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Microsoft Windows, DataCenter and Security.

Looking for relevant Microsoft Windows Whitepapers? Visit the SearchWinIT.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

hedgehog  |   Jun 27 2005  11:32AM GMT

Hi JeffJAG,

Thanks for your answer.

Most of the spurious traffic I see seems to go to Microsoft (Microsoft has several networks in the 207.46.x.x and the 64.4.x.x ranges, which is where most requests seem to be going). I bet it’s some stupid auto-update or sth like that.

There was also some traffic on UDP/3544 so I had to disable IPv6 in the laptop (it’s installed along with the advanced networking pack and tries to use a MS gateway for tunneling IPv6 in IPv4 - typical MS…)

How did you disabled the VMware virtual adapters? Did that affect the bridged connection to the host machine? I ask because I need to have network access to the main LAN from within the virtual OS…

Thanks,

Hedgehog.

 

WebTrekker  |   Jul 8 2005  10:21AM GMT

By default the installer creates two additional adapters, VMNET1 and VMNET8. These are used for DHCP and host only connections and are quite active. If you don’t need them, you can disable them in the control panel to cut back on network traffic. I don’t know this for a fact, but I believe that VMWare has a “keep-alive” going on these connections.

The other thing that occurs is that with Windows clients, the Master Browser thing is always active and pinging, which can really tie up system resources.

Finally, the “shared folders” thing is as chatty as NFS is on Unix andyou can cut down on a lot of network traffic by turning it off.

Don’t know if this will help at all - hope so =P