This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Excessive internet traffic eminating from SBS 2003 Server

0

Excessive internet traffic eminating from SBS 2003 Server

Our internet browsing capability at the office has slowed considerably in the last few days.

I noticed our server is sending and receiving data constantly. It is running SBS 2003 and we are hosting email on it. We don't host a website on it - other than the Remote Web Workplace site that is available via the internet. Local LAN IP of SBS 2003 box is 192.168.0.254.

If I remove the server from the network, ping times are reduced and internet speeds are increased when testing from a workstation.

I installed WireShark on the server and ran a capture. I am not too good at reading the resulting data. But, there are several lines with red text on a black background. And there are many more entries listed as "Data Fragments" under the SMTP protocol - all of which have the same destination IP address (66.94.237.64)

Here are two entries:

Red text with black background:

No: 44794. Time: 245.209207. Source: 66.94.237.64. Destination: 192.168.0.254. Protocol: TCP. Info: [TCP Window Update] smtp > [ACK] Seq=411 Ack=7433321 Win=61756 Len=0

Data Fragment:

No: 44795. Time: 245.209227. Source: 192.168.0.254. Destination: 66.94.237.64. Protocol: SMTP. Info: C: DATA fragment, 1452 bytes

Can anyone tell me what this is or means? Maybe a virus? Maybe a SMTP Relay situation?

Thank you for any help you may be able to offer.

This question is marked "community wiki".

asked 08 Dec '10, 19:19

coryjon's gravatar image

coryjon
1111
accept rate: 0%


2 Answers:

0

I think you might want to go through some of the statistics menu first. What you are looking at maybe the needle in the haystack, but if so you have lots of needles. Look at Statistics > Protocol Heirarchy, Statistics > Endpoints, and Statistics Conversations. Also look at statistics, packet lengths. You will want to exclude all traffic that is internal. What we are looking for is the following:

1). Is there high bw consumption (sometimes there isn't) 2). Are the packets big or small 3). Anything that surprises you 4). non tcp transport layer protocol

What you are trying to do understand from a broad perspective what your traffic looks like.

These are just a few starting points. Its really, really difficult to troubleshoot using packet analysis when you haven't had a lot of experience. Let me say that another way. It is very easy to be distracted by the unimportant when troubleshooting, if you don't regularly spend time in Wireshark.

answered 09 Dec '10, 03:45

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

0

The two frames that you have quoted show that your server is sending out e-Mail to a Yahoo-server.

As these are only two lines from the whole trace file it is not indication for a symptom, left alone a problem. Don't get confused by the all the colors.

As Paul pointed out the protocol hierarchy, endpoint- and conversation statistics are a good start. If Statistics -> Endpoints -> TCP would show that the majority of traffic is send from your SBS to the SMTP port (port 25) your server is sending out e-Mail - at least while you are capturing.

Excessive outgoing e-Mail can have a number of reasons:

  • Some genius decides to attach the latest DVD to an e-Mail
  • A user (or department) is sending out e-Mail (say, a marketing department going wild)
  • One of your clients got infected with a trojan horse / spambot and sends out SPAM
  • Your mail server is not properly secured and someone is using it as a SPAM relay

The general "slow surfing" experience can have a number of other reasons, including, but not limited to:

  • One or more users downloading data / watching TV ...
  • A general saturation of your internet link
  • Introduction of a new software, that relies on an Internet service
  • Over subscription of the line on the provider-end
  • faulty hardware / cable

These are just a few points to look at. The first network analysis with Wireshark is always the hardest. It get's easier once get used to it.

hth, good luck

answered 09 Dec '10, 09:37

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%