What application is dialling out?

  • Thread starter Thread starter David Morgan
  • Start date Start date
D

David Morgan

On a small network using 'Internet Conection Sharing',
one or two of the client computers are dialling out at
random. How can I detect which computer is doing it and
what application is the cause?
 
David Morgan said:
On a small network using 'Internet Conection Sharing',
one or two of the client computers are dialling out at
random. How can I detect which computer is doing it and
what application is the cause?
Click to expand...


The best way I've found to diagnose this is to
download and install the free version of ZoneAlarm.

Look carefully on the ZoneLabs website,
the free version is often rather obscured from view.

Install it on all the machines.
Then it will flag up the programs which are attempting to 'phone home'.
 
David Morgan said:
On a small network using 'Internet Conection Sharing',
one or two of the client computers are dialling out at
random. How can I detect which computer is doing it and
what application is the cause?
Click to expand...


The best way I've found to diagnose this is to
download and install the free version of ZoneAlarm.

Look carefully on the ZoneLabs website,
the free version is often rather obscured from view.

Install it on all the machines.
Then it will flag up the programs which are attempting to 'phone home'.
 
"Ron Lowe" said:
The best way I've found to diagnose this is to
download and install the free version of ZoneAlarm.

Look carefully on the ZoneLabs website,
the free version is often rather obscured from view.

Install it on all the machines.
Then it will flag up the programs which are attempting to 'phone home'.
Click to expand...

I'm using ZoneAlarm right now to find out why booting an ICS client
computer on my network causes the host to dial, Ron. Here's the alert
that it gives:

Do you want to allow Generic Host Process for Win32 Services to
access the local network?

Destination IP: 192.168.0.1:DNS
Application: svchost.exe

It dials as soon as I say "yes".

I've disabled Windows Update and every startup item that I can find.
I don't know what's making the DNS call or what name it's trying to
look up. It's interesting that it's trying to access the local
network, not the Internet, but it dials anyway. Any idea how to make
it stop?
--
Thanks,
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Steve Winograd said:
I'm using ZoneAlarm right now to find out why booting an ICS client
computer on my network causes the host to dial, Ron. Here's the alert
that it gives:

Do you want to allow Generic Host Process for Win32 Services to
access the local network?

Destination IP: 192.168.0.1:DNS
Application: svchost.exe

It dials as soon as I say "yes".

I've disabled Windows Update and every startup item that I can find.
I don't know what's making the DNS call or what name it's trying to
look up. It's interesting that it's trying to access the local
network, not the Internet, but it dials anyway. Any idea how to make
it stop?
--
Thanks,
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
Click to expand...

Is that what ZA reports on the client ?

So the client is doing a DNS lookup.
It has obtained the DNS server address of 192.168.0.1
because ICS does that by default. ( DNS forwarding by the host. )

I'd guess seems some *service* is doing DNS lookup.

When I don't know what's going on, I usually fall back on a sniffer.
Try downloading ethereal ( and the winpcap drivers that it requires )
and running it on the host. Start a capture, and then boot the client.

See what traffic there is.

There will be a bunch of noise when the client boots: DHCP, browser
announcements etc.
Look for DNS queries.

See what is being resolved.

Is it a local machine or an external one?
 
-----Original Message-----
On a small network using 'Internet Conection Sharing',
one or two of the client computers are dialling out at
random. How can I detect which computer is doing it and
what application is the cause?
.
I'm having an identical problem. I've found that the
Click to expand...
second machine (the one WITHOUT the internet access)
seems to be trying to search for connectivity. I've
eliminated the problem by disconnecting the crossover
cable.

I've looked for virus' and found none (latest NAV def's).

TO MICROSOFT SUPPORT:

What's up with this?
 
"Ron Lowe" said:
Is that what ZA reports on the client ?

So the client is doing a DNS lookup.
It has obtained the DNS server address of 192.168.0.1
because ICS does that by default. ( DNS forwarding by the host. )

I'd guess seems some *service* is doing DNS lookup.

When I don't know what's going on, I usually fall back on a sniffer.
Try downloading ethereal ( and the winpcap drivers that it requires )
and running it on the host. Start a capture, and then boot the client.

See what traffic there is.

There will be a bunch of noise when the client boots: DHCP, browser
announcements etc.
Look for DNS queries.

See what is being resolved.

Is it a local machine or an external one?
Click to expand...

Thanks for your reply, Ron. I've installed Ethereal and WinPcap on
the ICS host. What great programs! It's amazing to actually see
things like DHCP, browser announcements, SSDP, and DNS in action. I'm
probably going to spend way too much time sniffing and examining
packets. ;-)

I found a completely unexpected result: ZoneAlarm itself was issuing a
DNS lookup when the client computer booted, causing the host computer
to dial. It was resolving the name "lockup.zonealarm.com". ZA's
"True Vector Internet Monitor" runs as a service, so svchost.exe was
the source.

When I disabled ZoneAlarm and rebooted, the host stopped dialing when
the client boots!

P.S.

I found another thing that can cause DNS lookups: if the client's DNS
suffix (primary or connection-specific) is different than the host's,
the client's attempts to look up computer names (e.g. comp.mshome.net)
by DNS can't be resolved locally by the host.
--
Thanks!
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Steve Winograd said:
Thanks for your reply, Ron. I've installed Ethereal and WinPcap on
the ICS host. What great programs! It's amazing to actually see
things like DHCP, browser announcements, SSDP, and DNS in action. I'm
probably going to spend way too much time sniffing and examining
packets. ;-)

I found a completely unexpected result: ZoneAlarm itself was issuing a
DNS lookup when the client computer booted, causing the host computer
to dial. It was resolving the name "lockup.zonealarm.com". ZA's
"True Vector Internet Monitor" runs as a service, so svchost.exe was
the source.

When I disabled ZoneAlarm and rebooted, the host stopped dialing when
the client boots!

P.S.

I found another thing that can cause DNS lookups: if the client's DNS
suffix (primary or connection-specific) is different than the host's,
the client's attempts to look up computer names (e.g. comp.mshome.net)
by DNS can't be resolved locally by the host.
--
Thanks!
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
Click to expand...


< Just back online after house move and new ISP : 2Mbps:-) >

Yes, it's quite educational to see all of what's going on.
Indeed, you can spend too long messing with it.
Sometimes the only way to determine what's happening.

Here's an educational trick:
Create a hidden share on a 'server'. Say 'test$'.
Go to the sniffer machine, and start a capture.
Command prompt: net view \\server.
You get the usual list of shares, hidden shares not shown.
Stop the capture.
Look at the Share Enumeration, expand it up.
All present and correct. Including hidden ones!
Just goes to show that hidden$ is only hidden if the client respects the $!

One thing to remember is that the sniffer will only see packets which are on
the wire to that machine. If you have a hub, then you see all traffic. But
in a switched environment, you only see traffic to/from the leg of the
switch you are on, as well as broadcasts ( like ARP requests, etc. ) This
sometimes causes confusion.

Sometimes, I will put a sniffer laptop and a small hub in-circuit to be able
to silently capture traffic on a wire to a machine under test.

Re: ZA... Is that service possibly an 'auto update' service which is
running, and can be disabled by shutting off auto update feature?

Re: DNS suffix: That's what I'd expect. That's essentially how a full-blown
DNS server would behave too.
Here's what happens:

Client is 'client', Primary DNS suffix is "domain1.com.
Client ( client.domain1.com): "ping otherpc"
Client DNS resolver: "hmm, not a FQDN. Let's append the primary suffix and
sumit to DNS"
Client DNS resolver: "dear 192.168.0.1, please resolve "otherpc.domain1.com"

Host and DNS mini-server, is 'host', Primary DNS suffix = mshome.net
Host: "Help! I can't resolve "otherpc.domain1.com"" locally, I only know
about 'mshome.net' locally.
Host: So I must go out on the Internet and resolve this external domain
'domain1.com'.
 
Back
Top