-
December 11th, 2002, 03:09 PM
#1
Junior Member
Help identifying traffic
Not exactly a security matter but I have tried other forums with no luck -
My problem - identifying traffic bringing up router
I can't get DSL or Cable modem in my area, so have ISDN. ISDN account is for 200hrs. / mo.
and $.50 / hr. over.
My first eight months were uneventful but about three months ago my router started coming
up by itself and staying up even though I am not running anything that I think would / should
bring up the connection - costing me a boat load of extra $$ and I don't want to have to shut off the router all of the time.
During the first eight months I started leaving my machines on all of the time more and more
and increasing the router timeout eventually bringing it to 6 hours to avoid excessive connection charges from telco. When I started seeing this problem I started sniffing the network and bringing the timeout down, now currently at 15 min. but connection stays up anyway. Sometimes I telnet to router, bring down the connection and watch it come back up within seconds by itself.
My setup - 1 Mac OS9.X, 1 W2K Advanced Server, 1 XP Home Ed.,
1 Redhat 7.3, 1 FreeBSD 4.7, 1 Smoothwall FW & Netopia ISDN router, 3Com 10/100 hub.
My question - I am using Analyzer on the W2K box and I have tried sniffing for different combinations of traffic like Mac layer - all traffic, Network layer - IP traffic, Transport layer - TCP and UDP traffic and Application layer - NetBios traffic. I have found some things that may have been a problem and made a couple of rules in my FW to block outbound NetBios and turned off WINS at the W2K server but am still having the problem. And Analyzer has a timestamp problem that makes it hard to correlate events!
Can anyone give me a tip on what to sniff for or anyone have any insightful wisdom to share???????
-
December 11th, 2002, 05:21 PM
#2
Member
We had this sort of problem at a clients place where they connected using a zyxel isdn router. The problem seems to be that windows boxes generate network traffic when you click on the start menu. Well not quite but you get my drift . We were unable to resolve it but I had installed a redhat email server already so I just installed squid - a http proxy. I was then able to remove the routers ip address as a gateway on the windows boxes & put the redhat boxes ip in the IE proxy settings. Now the only time the link comes up is when they surf - the way it should have been in the first place. I know that probably doesnt help you but it might give you a couple of ideas.
-
December 11th, 2002, 07:15 PM
#3
Junior Member
Thanks, The Smoothwall FW I referenced in my post is a Linux based firewall with
http proxy - my internal machines don't use the router as the default gateway, rather
the internal address of the firewall.
I don't think the problem is related to http traffic though, and I guess I could block
a bunch of outbound traffic but that would break my ability to do lots of other things.
I'm trying to pinpoint just the right traffic that is bringing up the connection.
-
December 11th, 2002, 07:42 PM
#4
Banned
I recently set up an XP machine and this machine is constanly checking MS for updates.
Also the new Norton is also checking Symantec for upgrades.
Personally I think its the XP machine.
I would try and unplug everything and then reconnect one at a time to narrow down the culprit.
Good luck
GG
-
December 11th, 2002, 08:37 PM
#5
Junior Member
I thought it was the XP machine as well but have at times turned it off for days at a time
and still have the problem. I know what you are saying about the machine checking MS
for updates & I have turned off the automatic updates in the control panel and the service is disabled on both the 2K & XP machines. I do use NAV, anybody know what port(s) that connects on?
-
December 11th, 2002, 11:44 PM
#6
I've found that unwanted dial-outs are often Windows boxes trying to do DNS lookups to find their domain controller. If you block outgoing netbios (a reasonable precaution), it won't stop them doing DNS lookups.
Do you have an internal DNS? If so, set it up as a primary for your internal domain (make one up, like .myhouse or something), and point all the other hosts at it. Set the Windows domain name for any Windows (& Windows-like) machine to be that domain (.myhouse or whatever).
If you don't have an internal DNS, it may be sensible to set one up. However you need a box that's always on. The Linux or Windows server boxes will do nicely provided they're always on and not the same box dual booting
If they Windows boxes do keep doing random DNS requests, the internal DNS should eventually cache them and decrease the number of unwanted dial-outs.
-
December 12th, 2002, 12:49 AM
#7
At one point windows 2000 machines were set to automatically register them selves with reverse dns servers on the internet, so that there would be an in-addr.arpa record for them with the IP address. This was a major problem for the in-addr.arpa servers on the internet, as they were getting tons of registrations for non-routable ip's, i.e. 172.16 192.168, etc.
I think this was fixed with one of the service packs or patches for windows 2000, but I am not sure. That may very well be what your issue is though, because the windows 2000 machine will attempt to connect to the root dns servers for in-addr.arpa which would be outside your local network, and that would cause your router to fire up again.
I do not know if windows XP does this or not.
<edit>
It was not fixed with a patch it looks like. here is a link to help you out if this is indeed your problem.
http://support.microsoft.com/default...;en-us;q259922
</edit>
-
December 16th, 2002, 02:56 AM
#8
Junior Member
Hi
how are you hope this help , we had the same senario but in my company our routers are mostly cisco and in one of the branches ther was the same proplem and to solve it
i created an "access-list" wear i have defined intresting trafic to bring the interface up
and applied that on the isdn interface , i know this works on cisco devices but i have no idea about other venders maybe you can chek your "Netopia ISDN router" Docmunt for somthing simmeler to that , hope this idea help
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|