Results 1 to 8 of 8

Thread: perfmon shows current bandwidth maxed out

  1. #1

    Exclamation perfmon shows current bandwidth maxed out

    Hello all,
    This may be the wrong place to post this and if so let me know and I'll delete and move it to another area if you can point me in the right direction. Here's my issue: I have a late model, but still fairly robust Dell PoweEdge running Svr 2K. It's fully patched, has the latest anti-virus defs, and in fact is the machine I'm using for my LiveUpdate server. I kept seeing my firewall and my Packeteer getting slammed with traffic from the servers address so after combing over the machine to check if it was compromised somehow and finding nothing, I started looking at the NIC properties. Everything looks normal. But perfmon shows the current bandwidth maxed out. Packets in and out seem to be about average, right around what I would consider normal for a machine that is functioning as my backup host and virus def provider for the network. Netstat and netuse are showing no TCP or UDP connections that I don't know about. I can see the connections out to Symantec and Microsoft for the updates, but still this machine keeps hammering away at my firewall and packet shaper from the inside. Can anyone recommend a good tool for finding out exactly why it's doing this, or could I just have a faulty NIC that has finally started to fall apart? Thanks in advance for any help or clever ideas.

  2. #2
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    can you run a packet sniffer like Ethereal and see what exactly it is spewing out?
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Yep. Use a sniffer... That'll tell you exactly what kind of traffic it is...

    Sidenote: If somebody "owns" your server none of the tools (like netstat and nbtstat) on that machine are to be trusted.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Thanks to both of you. Ethereal (my first time using it by the way...great stuff) showed a UDP connection with another machine on my network. Now I just have to wander around campus until I can find where it's at.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    a bad nic can cause a packet storm. replace the nic card and if you still have the problem use a sniffer.

    there is a linux bootable cd called audit. it has ethereal and another program called etherape on it. etherape is a visual protocol analyser that shows what is coming from where and how much of it. i like the cd because it does not require the installation of anything. just put the cd in the drawer and reboot the computer (not the one in question though) the cd has a multitude of othe forensic tools as well. you will not be sorry if you get it
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    would anyone happen to have a link to an ISO for the cd? i found the other computer and brought it back to my office and i'm going over it now to try and find why it was bouncing connections back and forth to the server. (big amounts of data by the way. a ten second capture in ethereal yeilded an almost 8 MB file). The server itself, while no longer showing a constant connection to the computer in question, is still showing it's current bandwidth as maxed out and it's still beating the hell out of my firewall and packeteer. i can't bring down the server to replace the NIC just yet so i want to try and look at other solutions to the problem. would it be useful if i posted a snippet of the capture files (with the IP's blanked out, of course ) just so i can get another opinion on if i am reading this right?

  7. #7
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    sure thing. But if the machine is off that was smackin your server, and the server is still pounding the firewall perhaps the packet storm from a broken nic is a little more feasible.

    Here is Auditor
    http://new.remote-exploit.org/index.php/Auditor_main
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  8. #8
    Thanks, I'm going to download it and check it out. In what I think proved to be a resolution to my problem, I paid a bit closer of attention to the log from Ethereal and noticed the port the traffic was coming across. Symantec System Center uses that port for pushing updates and pulling update status from remote clients. After I deleted the entry for the offending party out of System Center's console, the bashing stopped. The client computer only had about 20MB of disk space left and what I'm assuming was going on was that SSC was trying to push all the backlogged updates out to the client and was getting everything thrown right back. Sound plausible? Regardless, the trash on the network seems to have cleared up. I really appreciate such a helpful welcome to A.O. Hope I can return the favor as I get a bit smarter.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •