Results 1 to 15 of 15

Thread: Unknown traffic

  1. #1
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Recently I noticed that I am pumping a lot of bytes through my net connection, even when I don't have much major apps open (like Outlook and FF).

    I of course did a spyware/AV check first but it came back clean.

    So I endeavored to look closer and I've been able to trace the traffic to some thread running under one of those generic SVCHOST processes.

    You can see in the attached screenshot that there is a lot going on in terms of the number of threads under this SVCHOST Process, which might make it impossible to isolate which one is causing the traffic.

    I do know that when I suspended this whole process, the machine slowly froze and had to be rebooted. However, when I turned off all traffic through the Comodo firewall, I was able to turn it back on hours later w/o any problems.

    Does anyone have any ideas on how I might trace this further to find out who needs to transfer approximately 15mb (total bytes up and down) each and every hour? Maybe a packet trace?
    Attached Images Attached Images

  2. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts
    That process includes "Background Intelligent Transfer Service" which is used by Windows Update to download updates.

    I would guess that this is most likely to be Windows Update working in the background to fetch updates. You could test this theory by turning off Windows Update for a day or two and checking if the traffic disappears.

    If you want to actually look at all the network packets to understand what is in them then you could use a network packet trace tool such as ethereal.

  3. #3
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,179
    Thanks
    47
    Thanked 983 Times in 913 Posts
    Ethereal is now known as Wireshark.

    cheers, Paul

  4. #4
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by StuartR View Post
    That process includes "Background Intelligent Transfer Service" which is used by Windows Update to download updates.

    I would guess that this is most likely to be Windows Update working in the background to fetch updates. You could test this theory by turning off Windows Update for a day or two and checking if the traffic disappears.

    If you want to actually look at all the network packets to understand what is in them then you could use a network packet trace tool such as ethereal.
    I've heard that MS will be issuing their last patches for 2009 on this Tuesday. So I might consider your suggestion afterwards.

    Still, I doubt that is the source of the problem. If this was from MS, then the traffic would be mostly downloading, not almost equal amounts of upload/download traffic. In less than 24 hours since I last restarted the system, this connection has transferred over 200MB (85MB incoming and 120MB outgoing)! Whew.

    I did a search on port 5431 and on 192.168.1.1:5431 and found a LOT of hits! I wonder how many other people here might be experiencing this problem but don't know about it because they don't have the right tools? What keyed me to the issue was watching Bitmeter2 which I have running in the lower left corner of my screen all the time.

    So about 1 hour ago, I decided to try and terminate this connection. I did so through Comodo and so far, it hasn't restarted itself and everything else seems to be working. Not eI terminated the net connection running under SVCHOST, NOT the SVCHOST process it self.

    Until I figure something else out, I may just have to try manually terminating this connection whenever I restart windows (or if it auto starts).

    I am going to download Wireshark and get that setup though.

  5. #5
    Lounger
    Join Date
    Dec 2009
    Location
    Burlington, VT
    Posts
    31
    Thanks
    2
    Thanked 1 Time in 1 Post
    Many Cable modems are put on the 192.168.1.x scope and 1.1 is a pretty standard address for a router, so it might be traffic going to your cable provider like DNS? Did you try to browse to 192.168.1.1?

    Port 5431 is registered to someone at Veritas.com (http://www.auditmypc.com/port/tcp-port-5431.asp) what are you running for backup software?

  6. #6
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by Mike Biracree View Post
    Many Cable modems are put on the 192.168.1.x scope and 1.1 is a pretty standard address for a router, so it might be traffic going to your cable provider like DNS? Did you try to browse to 192.168.1.1?

    Port 5431 is registered to someone at Veritas.com (http://www.auditmypc.com/port/tcp-port-5431.asp) what are you running for backup software?
    I have DSL, not cable. Anyway, I think DNS traffic is on port 53.

    I use Acronis TI for backup. Strictly imaging to local hard drives. Nothing backed up to the net.

    I have blocked the traffic in the firewall. I can see the process cycling through many source ports but the destination port is ALWAYS 5431.

  7. #7
    Lounger
    Join Date
    Dec 2009
    Location
    Burlington, VT
    Posts
    31
    Thanks
    2
    Thanked 1 Time in 1 Post
    Well dsl still uses a modem, did you try to browse or telnet to that address?

  8. #8
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    No I didn't try to browse to the address prior. And I can't do so easily now because Comodo apparently doesn't allow for disabling rules. I would have to delete the current rule and then recreate it afterwards. I may try this but I want to think it through first.

    Since http://192.168.1.1 is the router address (Linksys WRT54GS in this case), what would be the point of sending so much data to a specific port (5431) on the router???? Doesn't make any sense to me!


    Here is a log sample. Whatever this process is, it seems to vary the source port in an apparent range of 1025-5000 but keeps the destination the port the same.
    Attached Images Attached Images

  9. #9
    Super Moderator
    Join Date
    Dec 2000
    Location
    Renton, Washington, USA
    Posts
    12,560
    Thanks
    0
    Thanked 4 Times in 4 Posts
    I think it is your machine checking with the router for traffic.
    None found, so it will check in again later.

    Now running HP Pavilion a6528p, with Win7 64 Bit OS.

  10. #10
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by DaveA View Post
    I think it is your machine checking with the router for traffic.
    None found, so it will check in again later.
    No, can't be. The log is for the IP blocking that I am doing now.

    Originally (see 1st post), this traffic is coming from something hung off one of the SVCHOST processes, so it is some sort of system service that is generating the data. There is ~15MB/hour transferred/hour, each and every hour and about 40% (upload) and 60% (download). That is a lot more than checking traffic.

    BTW: Blocking this traffic seems not to have had any effect on anything. MY system seems to be running just fine but with a lot less data transfer.

  11. #11
    New Lounger
    Join Date
    Dec 2009
    Location
    Donetsk, Ukraine
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I suspect it is the result of some kind of malware that simply was not caught by your antispyware program.

  12. #12
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts
    I think it's UPnP; SSDP Discovery service, see here and DSLReports.

  13. #13
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by David Neeley View Post
    I suspect it is the result of some kind of malware that simply was not caught by your antispyware program.
    Feh. That would be the easy response. And how did it get hooked into SVCHOST? If you have something more definitive to post, please do so.

  14. #14
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by Andy Rowlands View Post
    I think it's UPnP; SSDP Discovery service, see here and DSLReports.
    Yes, I saw those posts. However, I turned off both those services and it made no difference.

  15. #15
    New Lounger
    Join Date
    Dec 2009
    Location
    Jalisco, Mexico
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I suggest using TrendMicro HijackThis to search for unknown startup processes, and SysInternals' Process Explorer to list the internal services registered (in the properties of the svchost process); maybe that way could be determined the culprit. Both utilities are free.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •