Ddruid_SMP or anyone, I got another good one for ya.

Or anyone else that can offer a suggestion.
According to two different traffic meters, my server is downloading at 6-10kBps constantly. But UH, I am not downloading anything. FTP shut down, Torrent apps shut down, and the worst part about it is that I don't see any drives with space changing. SO I can't figure out where in the heck it is going. ??????

What I am thinking I need is some sort of traffic monitoring software or app. I tried Zone Alarm which I really hate with a passion, but tried it and all it did was end up killing all the needed traffic and did not stop the errant download. Even in locked mode data was still coming in.

So any suggestions.

netstat -ano

With torrents, it may be a little while before you drop out of the swarm.. there may be incoming requests (but not at 6-10k/s).

Download TCPView (http://www.sysinternals.com/Utilities/TcpView.html), start it up and it will give you a list of established connections, and what application is using it.

If that yields no information, download a copy of ethereal (http://www.ethereal.com/), that will tell you exactly what packets are hitting that machine. It will give you the port and IPs it's communicating with (as well as a slew of other information). If it's not being accepted by an application, then it's just hitting closed ports.

I haven't used tcpview, but from the description it appears to be like linux's 'netstat'. If that doesn't give you enough information, Ethereal or Packetyzer will show what is hitting that nic.

Ethereal is good stuff and overall a very good and, uh....ummmm....handy utility; netstat doesn't often lie either.

Netstat on linux will give you the protocol, the port, the status of the connection, and the destination/originating 'station' or host. It almost has too many options.

i have been running a prog called bandwidth monitor, for giggles to see how much traffic i do on the network. it can show how fast you are sending / recieving up and down and will also tell how much data has been send per day, week, month, year, and since installation. i average around 14 gigs total a day, suprised me it was that much, but i often stream music and video over lan, on or from this lappy, and that seems to add up. especially the video.

The actull bandwidth is not an issue. I have several of those type of progrmas, I run stat bar 24/7 all the time which moniters all my traffic and hard drive sizes. I am going to keep an eye on the drives and try to find out where this data is going.

What I need to know is where this data is comming from, and where it is being put on my HD.

I don't know where it is comming from
I don't know why it is comming here
I don't know what it is
I don't know where it is going. (where it is being saved on my HD)

I already know how fast.

I am toying with the apps linked above but so far have not been able to figure out how to use them to distunguish between good and bad traffic.

netstat sounds like it would be best, as yu could look at where its going (port) and then look at what is listening on that port, and try to go from there. other than that... i have no idea. unless its some kind of "ya still there?" thing goin, but usin 10 K/sec... way too much.

Just because there is traffic on your network interface doesn't mean it's downloading anything. AIM or ICQ can generate traffic, doesn't mean anything is saved. Even when someone sends you a packet to a closed port, traffic is generated: NACKs. That could very well be those 6-10kBs.

Think of your LAN as a "house" with the way running up to it your internet connection. Even when your doors are locked (closed ports), anyone who comes up to your house and rings or tries the doors will use the way (network connection), even if he can't get in.

thing that has me is that 6 to 10 kB/s is alot of traffic for aim / icq / yahoo. all i can think of is a TON of incoming connection requests that get ignored.

Well himm this may be bad

I did a screen shot of all the drives and what size they were

I just checked and the OS drive was at 3.81 gig used and it has climed to 3.86 gig used.

So data is comming in and going someplace.

I have not been able to get any of the linked programs to show me what I need to know. I am going to keep fiddling with them and try to figure out how to make them do what I need.

I have ran TCP View Sysinternals to check some stuff.

and came up with microsoft-ds which is kinda confussing. But I cant get it to shut down. I can post a list of running process if it would help.

Alright here are 2 screenies maybe someone else can makes heads or tails out of it.

badass is the name of the server. As when it was built, the older server was a P3, 500 and the new one was the AMD 1900+ so it was pretty well badass in comparison, the name just stuck. As mentioned, serv-u and apache are the 2 main apps running on the rig. I went and removed as many other apps as I could during the testing phase to try and limit the possible problems.

I'm betting that it is netbios broadcast traffic from other people on your cable segment.

Using ethereal is simple, First thing is to close all applications that may be using the network, ie browsers, aim, yahoo, weather watchers, torrents, etc.

Click on Capture -> Interfaces, then in the new window look for the interface you want to sniff, in your case it would be the one that is connected to the modem, click 'prepare' next to that interface.

In the next window in the 'Display Options' frame check 'Update list of packets in realtime' and I like the 'automatic scrolling'. Click 'Start'

After a bit click 'Stop'

Examine the list of sniffed packets, if you click a packet and look in the detail frame, you can see what the source & destination ports are (easier) and the protocol. If your ip address is the source then you want the source port and vice versa for destination.

To find what program is responsible for the traffic, open a cmd prompt and right click on the window frame (the blue area at top), the properties then layout. Increase the 'screen buffer size' height, to say 500 lines. Ok that, then either apply as default or just that window..

On the cmd prompt enter 'netstat -ano'. Looking under 'local address' look for the port from above, the format is <ipaddress>:<port>, make sure that it is the same protocol and the state is in 'LISTENING'. If you find one that matches note the PID at the end. type exit to close the window. Hit ctrl-alt-delelte and open the processes tab and look for the PID there.

Well I noted my C:/Program Files directory getting bigger and bigger and not being able to find out where in the heck the files were coming or going too, I was on the brink of formatting the damn thing.

I went out today picked up a cheap wired router, plugged it inline with the server, configured it for torrent, web and ftp traffic, locked all the other ports down and POOF all the bad traffic came to a dead halt.

When I shut off the torrent app my inbound traffic drops to 0.

I am not sure if I am ever going to truly find out what happened but I know that it is all fixed now.

I am going run 3 or 4 different spy ware and ad-ware and anti virus apps over the entire drives again. There is a worm called fizzer Link to some info That could have been my problem.

I am just happy that it is running now.

So as of know I have One cable modem branching into a switch and 2 routers fed off of that switch with 6 computers on one router and the server on the other. I will leave it like this and be happy that all is well.

Thanks again for all your help. If I do ever find out exactly what happened I will let you know.

As for any payload possible, I don't have any mail clients at all on the server so it can't email itself out.

If any of ya ever end up in Surrey B.C. Canada drop me a PM and I will buy ya a real Beer, A Canadian Beer.

This is my new network setup. LOL.