Notices

Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

how to diagnose abnormal network usage? (long post)

Post Reply New Thread Subscribe Search this Thread
 
 
Thread Tools
Old 04-17-08, 01:39 PM Thread Starter   #1
xpwj
Registered



Join Date: Jul 2003
Location: vancouver

 
how to diagnose abnormal network usage? (long post)


I'm helping a small office with a server and 4 computer, they have been over their network usage for the 3rd month now, however, we can't find why the usage suddenly gets to high last 3 month. here are some data:

month of dec: daily usage was between 30mb to 90mb
08 jan: same as dec, 30mb to 90mb
08 feb: starting feb 6th, daily usage went up to about 300-500mb per day, all the way up to now.

Even on days with only 1 employer (the manager himself) the usage was about 400mb and he only checks email. I've checked all 4 pcs are clean from spyware and virus, no download program , no games installed.....I even installed Netlimiter to track the usage on all pcs but the number is very low, anyone has ever came across this kinda of problem? Also the ISP says 90% of the usage were download and very little upload. I don't see any unusual services running on server as well but the usage is still very high. Any one has any suggestions on what to do?
xpwj is offline   QUOTE Thanks
Old 04-17-08, 02:00 PM   #2
Jon
Just Another Retired Moderator

 
Jon's Avatar 

Join Date: Dec 2000
Location: Lawrenceville, GA

10 Year Badge
 
You could use something like Network Probe to monitor all your traffic. They have a trial available, although I'm not quite sure what the limitations are. I've used the full version and it works very well.

There are also free utilities like WireShark/Ethereal, which can be used to capture everything on any interface you have.

__________________
theHTPC.net
Jon is offline   QUOTE Thanks
Old 04-17-08, 02:25 PM   #3
ratbuddy
Member

 
ratbuddy's Avatar 

Join Date: Aug 2007
Location: Hartford, CT

 
Is there a wireless router somewhere in the mix?

__________________
HTPC - 2500k - 212+ - GA-Z68MX-UD2H-B3 - 2x4GB G.Skill DDR3-1600 - Vertex 2 90GB, Spinpoint F3 1TB w/M4 64GB ISRT Cache - Gigabyte GTX 460 1GB - Silverstone LC10B-E - Corsair RM550

-----
Main - X3 450 - ASRock A790GMH/128M 790GX - 2x2GB G.Skill 4-4-4-12 - 2xWD Green 1TB - Gigabyte GTX 460 1GB - Silverstone TJ08 - Corsair CX400W

Nothin' up my sleeve..
ratbuddy is offline Heatware Profile   QUOTE Thanks
Old 04-17-08, 02:36 PM Thread Starter   #4
xpwj
Registered



Join Date: Jul 2003
Location: vancouver

 
to ratbuddy: no there is no wireless router. just the main switch, very simple network.

to Jon: I will give that a try, do u know if that just need to be installed on server? or on server + all pcs? and also if i log off server administrator, will it still run in background? the problem i had with netlimiter is if i log in remotely to check and logoff after, it won't be running anymore ..so have to leave the administrator logged on@@.

PS: thankx for quick reply guys
xpwj is offline   QUOTE Thanks
Old 04-17-08, 03:09 PM   #5
Jon
Just Another Retired Moderator

 
Jon's Avatar 

Join Date: Dec 2000
Location: Lawrenceville, GA

10 Year Badge
 
Wireshark is for traffic capturing and can be on any system that has access to a port on your network. You set it to target the port and it will capture promiscuously. Downside is that the more traffic there is, the more you have to sift through and the capture files can get quite large. It's not something you want to run more than a few hours (during which times your bandwidth is at peak usage). You will also need to know how to analyze this captured data, although if it's something obvious, it shouldn't be hard to sift out.

Net Probe is easier and can run all the time, but as I said before, I don't know what their trial is like. I'm sure there are many other free ones available, just try a few and see what works. If you want something to run in the background, then you're going to have to limit your search to network monitoring services. Those might be a little more difficult to find for free.

__________________
theHTPC.net
Jon is offline   QUOTE Thanks
Old 04-17-08, 03:30 PM   #6
CGR
Member

 
CGR's Avatar 

Join Date: Jan 2001
Location: Lower NY

10 Year Badge
 
If the switch is managed you should be able to see what ports have the most traffic to help identify what device is doing the downloading.

__________________
Main System:.................................................. ......................Second System:
DFI BloodIron P35-T2RL w/ Q6600 GO@ 3.2 (9x360), 1.4v....DFI Ultra-D w/Opteron 170 @ 2.7
G.skill 4GB (2x2gb).................................................. ..............G.Skill Extreme 2GB (2x1gb)
HIS 4850 680/1108.................................................. .............Nvidia 7600GT
WD VRaptor 300gb/Seagate 1TB..........................................Raptor 74gb/Seagate 200gb
OCZ GameXtreme 600SLI

CGR is offline   QUOTE Thanks
Old 04-17-08, 06:57 PM Thread Starter   #7
xpwj
Registered



Join Date: Jul 2003
Location: vancouver

 
well i checked the WRT54G router that acts as the firewall just before going to the ISP modem, i checked the log file in the wrt54g, don't see any special or unsual ips.....at first the ISP suggest maybe someoen was constantly watching youtube while at work but, i only see youtube address poping out once in whole week...so that's not it either...strangely, the usage went down to 148 just the day before yesterday and 98 yesterday..again...i have no idea why it just suddenly went down...
xpwj is offline   QUOTE Thanks
Old 04-17-08, 11:02 PM   #8
TempliNocturnus
Member

 
TempliNocturnus's Avatar 

Join Date: May 2006
Location: Where angels carry savage weapons

 
Quote:
Originally Posted by Jon View Post
Wireshark is for traffic capturing and can be on any system that has access to a port on your network. You set it to target the port and it will capture promiscuously. Downside is that the more traffic there is, the more you have to sift through and the capture files can get quite large. It's not something you want to run more than a few hours (during which times your bandwidth is at peak usage). You will also need to know how to analyze this captured data, although if it's something obvious, it shouldn't be hard to sift out.

Net Probe is easier and can run all the time, but as I said before, I don't know what their trial is like. I'm sure there are many other free ones available, just try a few and see what works. If you want something to run in the background, then you're going to have to limit your search to network monitoring services. Those might be a little more difficult to find for free.
If I'm not mistaken, if you use a program like wireshark or ethereal on a computer on a switch, you're only going to capture broadcasts, and inbound traffic on that port. You'll need a hub on the switches uplink to the router, if you want to capture all traffic.
TempliNocturnus is offline   QUOTE Thanks
Old 04-18-08, 02:24 AM   #9
El<(')>Maxi
Blank Senior Member

 
El<(')>Maxi's Avatar 

Join Date: May 2003
Location: Seattle

 
Windows Update is a possibility. Many offices use WSUS for this very reason.

__________________
rdrash - 'I'm gonna intentionally try to kill this CPU with more volts'
El<(')>Maxi is offline Author Profile   QUOTE Thanks
Old 04-18-08, 02:59 PM Thread Starter   #10
xpwj
Registered



Join Date: Jul 2003
Location: vancouver

 
Maxi! i'm gonna try disable the window update on all client machien and server and monitor for few days!! thankx!!
xpwj is offline   QUOTE Thanks
Old 04-18-08, 03:11 PM   #11
gangaskan

 
gangaskan's Avatar 

Join Date: Dec 2003
Location: Lorain, ohio

10 Year Badge
 
but to do it every day for how long? kinda iffy that its updates to me, i'm not leaving it out, but most people do them at 3AM i usually do at work because noone is there.

__________________
Main Rig: [Silverstone TJ06 painted hammer black] [Intel E6550 3.2 ghz 1.35v ] [4 gigs Gskil] [Asus P5k Premium Wifi/ap] [Soundblaster Audiguy ZS platinum] [ATI 3560 pro] [enhiem 1250 pump, Swiftech Storm, primoflex tubing, mcres micro, maze 4 gpu block][ Windows Vista x64 Ultimate sp1]
HTPC: [LianLI V300B] [Opty 165 1.88 ghz] [Thermalright XP90] [2 gb OCZ Platinum DDR400] [Soundblaster X-FI Xtreme Music] [8600GT Stock] [Windows Vista Home Premium sp1]
Server: [Rocketfish Tower] [c2d E6600][Scythe Ninja Jr] [4 gigs Gskil ddr2 800][ATI X850XT ] [Windows Vista B]
Network: Cisco 851W uptime: forever
Heatware
gangaskan is offline   QUOTE Thanks
Old 04-18-08, 03:13 PM   #12
CGR
Member

 
CGR's Avatar 

Join Date: Jan 2001
Location: Lower NY

10 Year Badge
 
Quote:
Originally Posted by TempliNocturnus View Post
If I'm not mistaken, if you use a program like wireshark or ethereal on a computer on a switch, you're only going to capture broadcasts, and inbound traffic on that port. You'll need a hub on the switches uplink to the router, if you want to capture all traffic.
Managed switches usually allow you to setup a monitoring port, which has all traffic sent to for just this purpose. Only get it on higher level switches though.

__________________
Main System:.................................................. ......................Second System:
DFI BloodIron P35-T2RL w/ Q6600 GO@ 3.2 (9x360), 1.4v....DFI Ultra-D w/Opteron 170 @ 2.7
G.skill 4GB (2x2gb).................................................. ..............G.Skill Extreme 2GB (2x1gb)
HIS 4850 680/1108.................................................. .............Nvidia 7600GT
WD VRaptor 300gb/Seagate 1TB..........................................Raptor 74gb/Seagate 200gb
OCZ GameXtreme 600SLI

CGR is offline   QUOTE Thanks

Post Reply New Thread Subscribe


Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

Thread Tools Search this Thread
Search this Thread:

Advanced Search


Mobile Skin
All times are GMT -5. The time now is 10:57 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
You can add these icons by updating your profile information to include your Heatware ID, Benching Profile ID or your Folding/SETI profile ID. Edit your profile!
X

Welcome to Overclockers.com

Create your username to jump into the discussion!

New members like you have made this the best community on the Internet since 1998!


(4 digit year)

Why Join Us?

  • Share experience
  • Max out your hardware
  • Best forum members anywhere
  • Customized forum experience

Already a member?