NIC always stays on...how to track traffic in Windows 2003

  • Thread starter Thread starter Thomas
  • Start date Start date
T

Thomas

Hi,

I have a W2K3 server that has a NIC that is always on (meaning data are
being transferred). Double clicking the NIC, I see the received and sent
packet counter keeps increasing every second.

Is there anyway in Windows natively to track what program or services are
sending those packets? I'm using the Performance counter right now, but it
doesn't tell me much.

TIA

Tom
 
Hello,

You can install and run the network Monitor tool (included in 2003 setup
cd). This tool can be installed through Add remove programs -> add remove
windows components. This tool will capture all the network traffic leaving
and coming to your machine including ip addresses, ports and type of data
that is flowing.

When you run network monitor tool for the first time, it will ask you for
the interface on which it should be run. Choose your Local Area Connection on
which you are seeing the network activity. Also increase the buffer size from
the capture menu to at least 5 megs. Run the trace for about 5 minutes and
then stop and view the capture. It will list all network traffic originiting
and coming to your machine.

If you need further help in reading the traces, please let me know.

Regards,
Ajay Prakash
 
Hi Ajay,

Thanks for the help. I captured the Monitor log and saved it. After
viewing the log, I still can't decipher if my server is sending legitimate
traffic. If it's possible, you think I could email you the capture file?

Please email me at (e-mail address removed) if you think you can help me out.
Thanks.

Tom
 
Hello Thomas,

I could certainly have a look at the netmon trace. Please mail the capture
file to (e-mail address removed). Also please mention the ip address of the machine
on which this trace was taken, along with the roles of this machine i.e. DC,
DNS, DHCP etc.

I will let you know if i come across anything unusual.

Regards,
Ajay Prakash
 
Hi Andrei

I used netstat -na and found out there are some connections to external IPs
that uses port 25. The state was ESTABLISHED. I'm running IIS SMTP server
(for sending out emails from our software) on the box, does that mean my
SMTP is making connections to remote email servers?

Tom
 
Back
Top