Strange, possibly spyware-related, network traffic ...

[TomH]

I have a standalone WinXP Home system on a Motorola cable modem.
When I click the Network tab in Windows Task Manager, it shows a very low,
but almost continuous 0.01% to 0.02% network utilization rate, this is odd
because there are no processes running that have that network utilization
signature..
I know my system well, and I know there is nothing that has a legitimate
need to send/receive any data packets at all. I've got multiple
anti-trojan/adware/firewall apps --- ZoneAlarm, TCMonitor, BHODemon and
Microsoft AntiSpyWare Beta, they all tell me I have nothing to worry about.
I ran a packet capture app, AnalogX PacketMon, and it didn't capture
anything but I know AnalogX is working because it'll grab packets when I
send HTTP requests to servers.
My question is: Why does Windows Task Manager show continuous network
utilization when packet capture applications draw a complete blank?

 

[Gary Humenuk]

...but almost continuous 0.01% to 0.02% network utilization rate, this
is odd because there are no processes running that have that network
utilization signature...

My question is: Why does Windows Task Manager show continuous
network utilization when packet capture applications draw a complete
blank?

I can make an educated guess.

The short answer:

The analyzer probably lurks between the driver and the IP layer.
Taskmanager is probably getting its data from the driver.

The longer answer:

Taskmanager is probably reporting the IEEE 802 network maintenance
traffic at the LAN level.

It is this level that cares about your MAC address. A utilization of
0.01% sounds about right. For example, the network interface needs to
know if the network is still alive.

By necessity the last software before the actual interface hardware must
be the custom made driver for that hardware. The driver also cares about
your MAC address. The driver is probably politely informing Taskmanager
as it should.

The next level is usually the IP protocol then the TCP protocol. They
know IP addresses and do not care what any MAC addresses are. IP and TCP
are standardized so a generic packet analyzer (or a firewall, etc.) can
go between IP and the driver, but only a custom made packet analyzer
could go between the driver and the hardware.

Really paranoid users, serious network designers, and maybe CIA agents,
use hardware packet analyzers that plug in between the network card and
the network. NO network traffic can hide from a good hardware analyzer.

(Well, OK I do know how to design a network interface that could hide
traffic from a regular hardware analyzer, but if I told you the CIA
would have to kill your computer.)

Gary Humenuk
Computer addiction? What computer addiction? I can stop any time I ...
umm, Excuse me. My download is finished.

 

[Tom H]

Gary, thanks a lot for that, it makes sense --- a couple points:

=> Would it be consistent with what you are saying, to say that the only way
to really examine that .01% utilization rate - traffic, would be to tap
directly into the RJ45(or whatever that exact media is) between my system
and the cable-modem, then run the tap to a separate system through that
systems' promiscuous-mode LAN card, and thus examine those maintainance data
packets which are (or rather, you suspect are) the cause of this mysterious
..01% traffic?
=> Occaisonally, my packet monitor will pick up an exchange between my
system and my upstream's nameserver which contain 'in-addr-arpa' and an IP,
but there is not sufficient number of these exchanges to account for that
volume.
=> My firewall reports an average of up to 5 or 6 netbios probes/scans a
minute (all from different IPs, I know, unbelievable isn't it) Could it be
that TaskMan is somehow including these packets in its calculations?
BTW, you're not the only computer addict, you should visit our
computer-addiction support-group website --- we have meetings online with
IRC, webcams, and a dedicated NNTP server.

 

[Gary Humenuk]

Gary, thanks a lot for that, it makes sense --- a couple points:

=> Would it be consistent with what you are saying, to say that the only way
to really examine that .01% utilization rate - traffic, would be to tap
directly into the RJ45(or whatever that exact media is) between my system
and the cable-modem, then run the tap to a separate system through that
systems' promiscuous-mode LAN card, and thus examine those maintainance data
packets which are (or rather, you suspect are) the cause of this mysterious
.01% traffic?

That is what the hardware analyzer does. What you are describing is a
poor man's network analyzer. To get just your traffic, the other machine
would have to use your MAC address, not respond to any packets for that
MAC address, and record at the network protocol level. I don't know if
that might already be available out there somewhere. It would not
surprise me. It does not actually have to be between you and the
network. It is good enough for it to be plugged into the same hub.

There are a couple of other ways, but they are just as difficult. Like
you could rewrite your NIC driver. (I couldn't, but that's because I'm
lazy.)

=> Occaisonally, my packet monitor will pick up an exchange between my
system and my upstream's nameserver which contain 'in-addr-arpa' and an IP,
but there is not sufficient number of these exchanges to account for that
volume.

That's DNS. I don't really know the details about DNS. I think there is
some background maintenance, but I'm not sure.

=> My firewall reports an average of up to 5 or 6 netbios probes/scans a
minute (all from different IPs, I know, unbelievable isn't it) Could it be
that TaskMan is somehow including these packets in its calculations?

It certainly could. Those go straight through the hardware and driver
and are stopped by your firewall. That would imply that your monitor is
sitting between your firewall and your driver.

Did you notice that some of those "Netbios" probes come from computers
somewhere on the other side of the world? We can be pretty sure those
are not just some guy running an old Win 95 machine on your local wan.

BTW, you're not the only computer addict, you should visit our
computer-addiction support-group website --- we have meetings online with
IRC, webcams, and a dedicated NNTP server.

Oh, so many toys, so little time.

This is straying pretty far from the intent of this newsgroup. Perhaps
we will meet in some other group. computer addiction support group you
say. Hmmm.

Gary Humenuk
Support computer addiction. Buy your dog a computer. He might let you
borrow it. A cat, on the other hand ...