Results 1 to 8 of 8

Thread: Help identifying traffic

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    11

    Cool Help identifying traffic

    Not exactly a security matter but I have tried other forums with no luck -

    My problem - identifying traffic bringing up router

    I can't get DSL or Cable modem in my area, so have ISDN. ISDN account is for 200hrs. / mo.
    and $.50 / hr. over.

    My first eight months were uneventful but about three months ago my router started coming
    up by itself and staying up even though I am not running anything that I think would / should
    bring up the connection - costing me a boat load of extra $$ and I don't want to have to shut off the router all of the time.

    During the first eight months I started leaving my machines on all of the time more and more
    and increasing the router timeout eventually bringing it to 6 hours to avoid excessive connection charges from telco. When I started seeing this problem I started sniffing the network and bringing the timeout down, now currently at 15 min. but connection stays up anyway. Sometimes I telnet to router, bring down the connection and watch it come back up within seconds by itself.

    My setup - 1 Mac OS9.X, 1 W2K Advanced Server, 1 XP Home Ed.,
    1 Redhat 7.3, 1 FreeBSD 4.7, 1 Smoothwall FW & Netopia ISDN router, 3Com 10/100 hub.

    My question - I am using Analyzer on the W2K box and I have tried sniffing for different combinations of traffic like Mac layer - all traffic, Network layer - IP traffic, Transport layer - TCP and UDP traffic and Application layer - NetBios traffic. I have found some things that may have been a problem and made a couple of rules in my FW to block outbound NetBios and turned off WINS at the W2K server but am still having the problem. And Analyzer has a timestamp problem that makes it hard to correlate events!

    Can anyone give me a tip on what to sniff for or anyone have any insightful wisdom to share???????

  2. #2
    We had this sort of problem at a clients place where they connected using a zyxel isdn router. The problem seems to be that windows boxes generate network traffic when you click on the start menu. Well not quite but you get my drift . We were unable to resolve it but I had installed a redhat email server already so I just installed squid - a http proxy. I was then able to remove the routers ip address as a gateway on the windows boxes & put the redhat boxes ip in the IE proxy settings. Now the only time the link comes up is when they surf - the way it should have been in the first place. I know that probably doesnt help you but it might give you a couple of ideas.

  3. #3
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    Thanks, The Smoothwall FW I referenced in my post is a Linux based firewall with
    http proxy - my internal machines don't use the router as the default gateway, rather
    the internal address of the firewall.

    I don't think the problem is related to http traffic though, and I guess I could block
    a bunch of outbound traffic but that would break my ability to do lots of other things.
    I'm trying to pinpoint just the right traffic that is bringing up the connection.

  4. #4
    I recently set up an XP machine and this machine is constanly checking MS for updates.
    Also the new Norton is also checking Symantec for upgrades.

    Personally I think its the XP machine.

    I would try and unplug everything and then reconnect one at a time to narrow down the culprit.

    Good luck

    GG

  5. #5
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    I thought it was the XP machine as well but have at times turned it off for days at a time
    and still have the problem. I know what you are saying about the machine checking MS
    for updates & I have turned off the automatic updates in the control panel and the service is disabled on both the 2K & XP machines. I do use NAV, anybody know what port(s) that connects on?

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I've found that unwanted dial-outs are often Windows boxes trying to do DNS lookups to find their domain controller. If you block outgoing netbios (a reasonable precaution), it won't stop them doing DNS lookups.

    Do you have an internal DNS? If so, set it up as a primary for your internal domain (make one up, like .myhouse or something), and point all the other hosts at it. Set the Windows domain name for any Windows (& Windows-like) machine to be that domain (.myhouse or whatever).

    If you don't have an internal DNS, it may be sensible to set one up. However you need a box that's always on. The Linux or Windows server boxes will do nicely provided they're always on and not the same box dual booting

    If they Windows boxes do keep doing random DNS requests, the internal DNS should eventually cache them and decrease the number of unwanted dial-outs.

  7. #7
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    At one point windows 2000 machines were set to automatically register them selves with reverse dns servers on the internet, so that there would be an in-addr.arpa record for them with the IP address. This was a major problem for the in-addr.arpa servers on the internet, as they were getting tons of registrations for non-routable ip's, i.e. 172.16 192.168, etc.

    I think this was fixed with one of the service packs or patches for windows 2000, but I am not sure. That may very well be what your issue is though, because the windows 2000 machine will attempt to connect to the root dns servers for in-addr.arpa which would be outside your local network, and that would cause your router to fire up again.

    I do not know if windows XP does this or not.
    <edit>

    It was not fixed with a patch it looks like. here is a link to help you out if this is indeed your problem.

    http://support.microsoft.com/default...;en-us;q259922

    </edit>

  8. #8
    Junior Member
    Join Date
    Dec 2002
    Posts
    1
    Hi
    how are you hope this help , we had the same senario but in my company our routers are mostly cisco and in one of the branches ther was the same proplem and to solve it
    i created an "access-list" wear i have defined intresting trafic to bring the interface up
    and applied that on the isdn interface , i know this works on cisco devices but i have no idea about other venders maybe you can chek your "Netopia ISDN router" Docmunt for somthing simmeler to that , hope this idea help

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •