Screemin 4 billion packets

  • Thread starter Thread starter Jaime
  • Start date Start date
J

Jaime

I have a small LAN at home. Gateway to the Internet is
WinXP Home, workstation is a WinXP PRO (Laptop). When the
laptop is connected to the internet, through my gateway, I
monitor (View Network Connection) the LAN connection and
it screems aapproximately 4 billion packets every other
second, therefore I have a slow connection. If I kill DHCP
Client it kills all connections. IF I do a ctrl+all+del
and view the Windows Task MAnager, I see a svchost.exe
using approximately 16MB of memory. I took a chance and
killled it. IT worked. The screeming stopped and I could
still surf the web. I matched the PID
using "tasklist /svc" and found the following services
running:
AudioSrv, BITS, Browser, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, FastUserSwitchingCompatability, helpsvc,
HidSvc, lanmanserver, lanmanworkstation, Netman, Nla,
RasMan, Schedule, seclogon, SENS, ShellHWDetection,
TapiSrv, TermService, Themes, TrkWks, uploadmgr, W32Time,
winmgmt, WmdmPmSp, wuauserv, WZCSVC
Which one is causing the 4bill packets and why? Can I kill
any of these and do I need all of these for a simple home
network?

Thanks,
Jaime
 
Jaime said:
I have a small LAN at home. Gateway to the Internet is
WinXP Home, workstation is a WinXP PRO (Laptop). When the
laptop is connected to the internet, through my gateway, I
monitor (View Network Connection) the LAN connection and
it screems aapproximately 4 billion packets every other
second, therefore I have a slow connection. If I kill DHCP
Client it kills all connections. IF I do a ctrl+all+del
and view the Windows Task MAnager, I see a svchost.exe
using approximately 16MB of memory. I took a chance and
killled it. IT worked. The screeming stopped and I could
still surf the web. I matched the PID
using "tasklist /svc" and found the following services
running:
AudioSrv, BITS, Browser, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, FastUserSwitchingCompatability, helpsvc,
HidSvc, lanmanserver, lanmanworkstation, Netman, Nla,
RasMan, Schedule, seclogon, SENS, ShellHWDetection,
TapiSrv, TermService, Themes, TrkWks, uploadmgr, W32Time,
winmgmt, WmdmPmSp, wuauserv, WZCSVC
Which one is causing the 4bill packets and why? Can I kill
any of these and do I need all of these for a simple home
network?

Thanks,
Jaime

Spybot www.spybot.com or Ad-Aware www.lavasoft.de for spyware/malware
removal.

Q
 
4 billion packets seems a little unlikely. You may need to turn off the
tray icon for your Internet Gateway connection.
 
I have tried Ad-Aware and it cleaned out a few things, but
nothing significant. And yes it 4 billion packets. The
internet gateway icon in the tray is fine, it's the LAN
icon that is screaming. It does slow my internet
connection and sometimes I have to refresh my page in
order to get it. And as for the tray icons. Gateway will
have 20k max after a full day of surfing the way, but the
LAN icon flies at 4billion and change every other second.
It's one of the services under the svchost.exe but I don't
know which one. Thanks for the replies that you sent.

Jaime
..
 
Try to install a sniffer, there is this free Colasoft
evaluation sniffer, it will capture everything that goes in
the network, and you will be able to recognize (it will do
the dirty job) the traffic frames. I just found out in my
cable modem (RoadRunner) a bunch of frames using 100% of the
cable modem time, 24/7 traffic. It is amazingly high
traffic that slows down internet. The frame in question is
ARP, that means somebody is requesting some specific IP in
the network, if existant, to answer its MAC (NIC Hardware)
address. This happens when somebody has the IP but not the
MAC address, and MAC address is necessary to transfer data,
this is most basic hardware? level protocol. When you turn
on a computer in the network, it should be indetified, so
ARP is issued to fill in the tables at the server, or
gateway, or whatever should hold table of IPs vs MACs. It
means, ARP should NOT be constantly flowing in my network,
so I call my RoadRunner tech sup, and told them that the ARP
frames contains as "source" my gateway IP address, it means,
my cable modem IP. They told me that it can't be
controlled, since it is the "blaster worm" flowing all over
the network, and trying constantly to find out some IP in my
local home network that could answer the MAC and then it
would try a specific attack port address for that MAC/IP.
Ok, I had to swallow that explanation. They asked me to keep
firewall up all times. Instead of that, I went to BestBuy
and bought a wireless switch/router with included firewall,
toss out the small and dumb ethernet hub I had installed
here. Now, the heavy traffic still between the modem and
the d-link router, but the network itself is clean. Data
traffic between the network computers came back to be fast
and easy. For the internet access, well, still messed by the
ARP frames traffic, but according to RoadRunner tech sup, it
should return to normal as soon the worm quiets down...
when? probably when they grew few brain and change my
sub-mask from 1024 to only 4 IP addresses... I told them.
As usual, nothing soon to expect. I blocked things my side,
at my cost, problem still in the modem side.

wagner.
 
My point was that having the Internet Gateway icon in the tray can cause a
lot of traffic on the LAN, try removing it.
 
Back
Top