Unexplained network traffic - how to identify?

[Stefan G]

Running Windows 7 Ultimate x64

In Task Manager, Networking tab, I see an almost constant stream of inbound
network traffic to my PC and I would like to know what is causing it. There
are other PCs on the LAN but even after rebooting all systems they all show
zero (or nearly zero) traffic except this one that starts pulling in traffic
at a fairly steady pace of 6 megabits/sec. Since I noticed it nearly two
weeks ago, I've been checking it very frequently and it's almost always
there. Sometimes it stops for 60-90 seconds, but then it starts again and
goes for hours before the next pause.

I have no network shares defined on this PC, so all I have are the default
administrative shares. Going to Computer/Manage/Sessions and/or Open Files
shows nothing at all.

I suspect malware, except that the traffic flow is always inbound, never
outbound, at least that I can see. I've updated and run both
SuperAntiSpyware and MalwareBytes, both of which found nothing but a few
tracking cookies (since deleted). I've run 'netstat -a' but I don't see
anything suspicious there.

What can I do next?

I only access the questionable computer remotely, so some of the traffic is
from my remote connection, but certainly not a steady 6Mb in a single
direction. Besides, another Windows 7 PC on the same LAN shows less than
10Kb of network traffic rather than 6Mb. Surely I'm missing something
obvious.

While I was typing this, it stopped for about 55 seconds, but now it has
started up again. After nearly two weeks, it can't be Windows updates or any
other updates since it seems to run nearly constantly 24/7.

Do I need to take packet captures with Wireshark?

 

[Paul]

Running Windows 7 Ultimate x64

In Task Manager, Networking tab, I see an almost constant stream of inbound
network traffic to my PC and I would like to know what is causing it. There
are other PCs on the LAN but even after rebooting all systems they all show
zero (or nearly zero) traffic except this one that starts pulling in traffic
at a fairly steady pace of 6 megabits/sec. Since I noticed it nearly two
weeks ago, I've been checking it very frequently and it's almost always
there. Sometimes it stops for 60-90 seconds, but then it starts again and
goes for hours before the next pause.

I have no network shares defined on this PC, so all I have are the default
administrative shares. Going to Computer/Manage/Sessions and/or Open Files
shows nothing at all.

I suspect malware, except that the traffic flow is always inbound, never
outbound, at least that I can see. I've updated and run both
SuperAntiSpyware and MalwareBytes, both of which found nothing but a few
tracking cookies (since deleted). I've run 'netstat -a' but I don't see
anything suspicious there.

What can I do next?

I only access the questionable computer remotely, so some of the traffic is
from my remote connection, but certainly not a steady 6Mb in a single
direction. Besides, another Windows 7 PC on the same LAN shows less than
10Kb of network traffic rather than 6Mb. Surely I'm missing something
obvious.

While I was typing this, it stopped for about 55 seconds, but now it has
started up again. After nearly two weeks, it can't be Windows updates or any
other updates since it seems to run nearly constantly 24/7.

Do I need to take packet captures with Wireshark?

Sounds like a plan.

I'm sure the answer will not be immediately obvious with the packet
sniffer, but you have to start somewhere. I've had a few instances, where
the address of the sender is Akamai, and I haven't a clue who might actually
be responsible for the traffic. The network name isn't always indicative.

For fun, you can also try running TCPView.

http://technet.microsoft.com/en-us/sysinternals/bb897437

Paul

 

[Fokke Nauta]

Running Windows 7 Ultimate x64

In Task Manager, Networking tab, I see an almost constant stream of inbound
network traffic to my PC and I would like to know what is causing it. There
are other PCs on the LAN but even after rebooting all systems they all show
zero (or nearly zero) traffic except this one that starts pulling in traffic
at a fairly steady pace of 6 megabits/sec. Since I noticed it nearly two
weeks ago, I've been checking it very frequently and it's almost always
there. Sometimes it stops for 60-90 seconds, but then it starts again and
goes for hours before the next pause.

I have no network shares defined on this PC, so all I have are the default
administrative shares. Going to Computer/Manage/Sessions and/or Open Files
shows nothing at all.

I suspect malware, except that the traffic flow is always inbound, never
outbound, at least that I can see. I've updated and run both
SuperAntiSpyware and MalwareBytes, both of which found nothing but a few
tracking cookies (since deleted). I've run 'netstat -a' but I don't see
anything suspicious there.

What can I do next?

I only access the questionable computer remotely, so some of the traffic is
from my remote connection, but certainly not a steady 6Mb in a single
direction. Besides, another Windows 7 PC on the same LAN shows less than
10Kb of network traffic rather than 6Mb. Surely I'm missing something
obvious.

While I was typing this, it stopped for about 55 seconds, but now it has
started up again. After nearly two weeks, it can't be Windows updates or any
other updates since it seems to run nearly constantly 24/7.

Do I need to take packet captures with Wireshark?

Whireshark is the way to go here indeed. I used it once to analyze
network traffic from and to my workstation. It's quite intuitive and you
will be able to clearly analyze the traffic.

Fokke

 

[Andy Burns]

Whireshark is the way to go here indeed. I used it once to analyze
network traffic from and to my workstation. It's quite intuitive and you
will be able to clearly analyze the traffic.

Another recommendation for Wireshark here. Rather than watching
thousands of packets whizz past, in this case starting a capture then
looking at Statistics/Conversations might lead to quick identification
of the offending traffic.

 

[Johnny]

Running Windows 7 Ultimate x64

In Task Manager, Networking tab, I see an almost constant stream of inbound
network traffic to my PC and I would like to know what is causing it. There
are other PCs on the LAN but even after rebooting all systems they all show
zero (or nearly zero) traffic except this one that starts pulling in traffic
at a fairly steady pace of 6 megabits/sec. Since I noticed it nearly two
weeks ago, I've been checking it very frequently and it's almost always
there. Sometimes it stops for 60-90 seconds, but then it starts again and
goes for hours before the next pause.

I have no network shares defined on this PC, so all I have are the default
administrative shares. Going to Computer/Manage/Sessions and/or Open Files
shows nothing at all.

I suspect malware, except that the traffic flow is always inbound, never
outbound, at least that I can see. I've updated and run both
SuperAntiSpyware and MalwareBytes, both of which found nothing but a few
tracking cookies (since deleted). I've run 'netstat -a' but I don't see
anything suspicious there.

What can I do next?

I only access the questionable computer remotely, so some of the traffic is
from my remote connection, but certainly not a steady 6Mb in a single
direction. Besides, another Windows 7 PC on the same LAN shows less than
10Kb of network traffic rather than 6Mb. Surely I'm missing something
obvious.

While I was typing this, it stopped for about 55 seconds, but now it has
started up again. After nearly two weeks, it can't be Windows updates or any
other updates since it seems to run nearly constantly 24/7.

Do I need to take packet captures with Wireshark?

When you have Task Manager open, click on the performance tab and then
the Network tab and you should be able to see bytes sent and received.

You could also check to see if Akamai Netsession is installed on that
computer.

This explains how it works:


What is the Akamai NetSession Interface?

The Akamai NetSession Interface is a secure application that may be
installed on your computer to improve the speed, reliability, and
efficiency for downloads and streams from the Internet. It is used by
many software and media publishers to deliver files or streams to you.

If the software or media publisher uses the feature and if you enable
it, NetSession can also use a small amount of your upload bandwidth to
enable other users of the NetSession Interface to download pieces of the
publisher's content from your computer.

http://www.akamai.com/html/solutions/client_faq.html

 

[s|b]

For fun, you can also try running TCPView.

http://technet.microsoft.com/en-us/sysinternals/bb897437

+1

 

[Stefan G]

Do I need to take packet captures with Wireshark?

Update - I have a Netgear Gigabit switch in the mix and was seeing
incredibly poor throughput between some of the computers on the LAN. I
swapped in a spare Gig switch and fixed that problem. Interestingly, the
unsolicited traffic stopped when I changed the switch.

What the heck kind of switch malfunction causes a 6 Megabit traffic storm?

I never got a chance to look at packet captures but I still have the old
switch and may dig into the issue when I get more time. Thanks for the
suggestions, everyone!

 

[Paul]

Update - I have a Netgear Gigabit switch in the mix and was seeing
incredibly poor throughput between some of the computers on the LAN. I
swapped in a spare Gig switch and fixed that problem. Interestingly, the
unsolicited traffic stopped when I changed the switch.

What the heck kind of switch malfunction causes a 6 Megabit traffic storm?

I never got a chance to look at packet captures but I still have the old
switch and may dig into the issue when I get more time. Thanks for the
suggestions, everyone!

I've had the port on my Netgear GbE "flicker", when an unpowered PC was
connected. But that didn't result in any traffic that I could see.

My Netgear, is supposed to power off unused ports. I suspect the
flicker I was seeing, was the Netgear going in and out of power
saving mode, on that port. That could be why there was no associated
traffic. If I power up the PC on that port, the flickering would
stop.

The trick is, try and find a GbE switch, that doesn't have those
power saving features. They're a bit harder to find. That power
saving feature, is also known to block WOL for people. So it's a
PITA. The first generation of GbE, the ports stayed on all the
time (and the box got hot).

Paul