Constant network transfers, can't tell what it is

[bri]

Anyone know a sniffer program or other way within WinXP to tell what data transfers are due to? after reinstalling all wireless related software now i see constant transfers at 2-5 packets/second received and 1 packet/minute sent. no idea what is from. windows update shouldn't be downloading anything, system update is not scheduled to run, and nothing else is open. i ran Avira Antivirus and the next step is to run a spyware scan.

[jdhurst]

CommView works very well, but it is not free. Wireshark is free, and does a reasonable job. ... JDH

[bri]

ok this is really bizarre. in Network Connections, there is a connection "Internet Connection" in group Internet Gateway.
i've never seen this on any other computer. if i go through network setup wizard it asks me if i want to connect through the "internet sharing device". if i disable this connection, the wireless card is still connected but cannot get internet traffic and my OTHER computer on the network cannot get internet traffic. however if this computer or the wireless card is completely shut off, and the "internet connection" disappears, the other computer still gets internet.

i see a bunch of packets in wireshark but i don't know what they mean. most of it is between this computer and the router with a few packages from this computer to does this sound like malware?

[SHoTTa35]

it's the router as it's your "Internet Connection." You have uPnP turned on and you can manage it's firewall and other ports thru that icon. Just right click and choose properties.

Disabling your internet turns off the WAN port on the router.

You could install some programs like Zonealarm or something but basically anyfirewall that blocks outgoing traffic. With that it would then prompt you to allow it and you'd see the program name and ip it's going to and all that.

[bri]

oh i didn't know exactly what uPnP was but at least i thought it wasn't installed by default. i'm installing adaware, spybot, and symantec firewall now, will see what they say.

[bri]

how do i turn off uPnP?

[SHoTTa35]

you gotta go in the admin menu (administration page from Linksys or others) and then turn it off. Why would you though? Lots of programs use it so you can communicate with the outside world and share files easier .

[bri]

i mean turn it off on my computer, i've never had it enabled on other computers before. i went ahead and disabled it on the router. prob not the issue though because ...

i think i've found the culprit. on our router there is a port forwarding rule set to the IP this computer is using:

"utorrent - TCP Any -> 21889"

i don't torrent but my impression is that torrenters from around the world are trying to ping this computer to see what files it's hosting. i don't know who is messing with our router, it's def not one of my roommates because they don't even know how to log in.

there are also a ton of rules forwarding to other IP addresses within our local net with something like the following:

"msmsgs (192.168.1.8:13115) 39922 TCP - TCP Any -> 39922"

does this look like someone is sitting outside our house misusing our internet connection? do i need to secure our router better? do i need to worry about all those bits that have been already sent to this computer from torrenters or are they automatically trashed

[Superego]

Regarding turning off uPnP, if I remember correctly you go to Control Panel-> Add/Remove Software -> Remove Windows Components (or something like that) and there should be option for uPnP. Also you can go into services and disable it.

[davidspalding]

Anyone know a sniffer program or other way within WinXP to tell what data transfers are due to?

I've had to surveill this several times. At one time or another, I've found WUAU (Windows Update Automatic Updates) the culprit. I've had other things hogging CPU cycles and slowing my system.

In the last couple of years, I've used SysInternals' Process Explorer, which is a pumped up, marvelous alternative (or replacement) for Task Manager. It will identify exactly what is doing what at any given time. Very easy to pinpoint background services using 38% of resources in the background.

Also, ensure you don't have content indexing turned on for any network shared drives.

[joester]

does this look like someone is sitting outside our house misusing our internet connection? do i need to secure our router better? do i need to worry about all those bits that have been already sent to this computer from torrenters or are they automatically trashed

I've done a bit of P2P sharing to check it out, and I would offer these questions:
1.) What security do you have on the router?
2.)Just how secure is your password?

I would consider a really tough mix of characters and numbers as a new password (for God's sakes write it down) and change it.

Example: 1Gh7wx92Mz2

The less sense and bigger mix, the longer to crack with software. Simple word or phrase passwords can be hacked in minutes.

Disable all torrent related options, and lock down access if you are concerned.

As far as someone pinging you computer to see what files you have, anything is possible, but most torrent software requires a target folder to share files. Anything outside that folder is suposedly not accessible to the software.

As far as the ton of:
"msmsgs (192.168.1.8:13115) 39922 TCP - TCP Any -> 39922"
is concerned, this is a record of all sharing activity. The computer with the IP of 192.168.1.8 used port 39922 to share file packets.

If you have dedicated IP's in your network (my advice is to spend the time and do this) you can easily go to IP #8 and see what's going on.

My network has locked out IP's except for the dedicated ones and a few open one's for visitors. My intent is to eventually require a login for access to the internet and network like found in most WiFi equipped hotels.
Joe

[virge]

how do i turn off uPnP?

I turn this off on all my computers running XP. To to Control Panel -> Performance and Maintenance (or Administrative Tools depending on your setup) -> Services->Scroll down to Universal Plug and Play -> select "Disable" or "Manual." You can reboot or just stop it from there.

I've never run into any programs that ask for me to turn this service on, but use disable at your own risk of course.

Andy

[RealBlackStuff]

My upnp has been disabled for at least 3 years. Never a problem.

[bri]

joester: my concern was more along the lines of someone logging in remotely to the router because we're in a house and the signal barely goes beyond our property (though i guess it would be possible with a good card). that has been debunked though because i found that remote log-in is disabled. i'm still puzzled by how those firewall rules were entered though. i don't understand what you said about the msmsgs entries being records of sharing activity; those were in the firewall rule set, not a log. i guess the best thing would still be to change the wireless security to WPA from WEP but it's going a pain to coordinate with all my roomates.

[richarddd]

WEP is essentially useless against anyone with any sophistication trying to get in. WPA is much better.