Odd network activity problem

[Mo0o]

My samurize is picking up intermittent incoming network activity. Normally I wouldn't worry but this is happening quite often, every few minutes, and it's reporting to download rate to be 1mb/s. The network activity is accompanied by CPU usage. These little bursts of activity lasts from 10 seconds to 5 minutes.

What's weird is that I'm not sure what program can be using the bandwidth since I've tried closing all nonessential programs to no avail I've also tried NetLimiter and it hasn't indicated any programs using the unaccounted activity. Also given the frequency and duration of these unaccounted network activities the hard drive should be full by now but there's no change in the amount of free space.

Anyone have any ideas? I'm connected to a college network w/ a static IP if that makes a difference.

 

[spidey07]

it could be anything really. download ethereal and capture the traffic.

probably just other students probing you or the university doing a scan.

 

[Mo0o]

Originally posted by: spidey07
it could be anything really. download ethereal and capture the traffic.

probably just other students probing you or the university doing a scan.

Odd, I neevr had this problem last semester or the previous years on the school network. Ill check out what I can find with this Ethereal program

 

[Mo0o]

I checked my ethereal read out:

I received a lot of activity from this person 192.168.1.1 through a protocol called ICMP. Under Info it says "Destination unreachable (Protocol unreachable)

 

[Smilin]

heh.

That person is likely your gateway (post the output from an ipconfig/all for us).

A lot of ICMP destination unreachables coming in could be due to an MTU drop somewhere upstream and pmtu detection is kicking in. See if they say anything about the DF flag or an MTU size.

Not really bad stuff at all. Keep looking.

 

[Mo0o]

Here's my ipconfig:

COnnection-specific DNS SUffix dorm.duke.edu
IP Address 152.3.78.183
Subne Mask 255.255.248.0
Default Gateway 152.3.72.1

Where do i look for DF flag or MTU size things? I'm not sure what those things are

 

[RebateMonger]

Are you sure that attempt at ICMP traffic is INCOMING and not OUTGOING from your PC?
192.168.1.1 is a little bit out of your subnet.....

 

[KnickNut3]

Hey, Mo0o... I'm having a very similar problem at Duke, too. Check my thread.

 

[spidey07]

Originally posted by: RebateMonger
Are you sure that attempt at ICMP traffic is INCOMING and not OUTGOING from your PC?
192.168.1.1 is a little bit out of your subnet.....

sounds like somebody has plugged in a SOHO router to the campus network on his subnet and he's seeing a packet storm/loop.

 

[RebateMonger]

Originally posted by: spidey07
sounds like somebody has plugged in a SOHO router to the campus network on his subnet and he's seeing a packet storm/loop.

They might have plugged one in backwards. Bet if you set your TCP/IP to "Automatic", you'll get an IP from him.

 

[spidey07]

Originally posted by: RebateMonger

Originally posted by: spidey07
sounds like somebody has plugged in a SOHO router to the campus network on his subnet and he's seeing a packet storm/loop.

They might have plugged one in backwards.

even not backwards a misconfigured one could cause this scenario. I've seen them take down rather large networks.

-edit-
if somebody plugged in a SOHO router and put in a default route or summary route for the OPs subnet you'd see this behavior due to proxy-arp.

 

[Mo0o]

Originally posted by: spidey07

Originally posted by: RebateMonger

Originally posted by: spidey07
sounds like somebody has plugged in a SOHO router to the campus network on his subnet and he's seeing a packet storm/loop.

They might have plugged one in backwards.

even not backwards a misconfigured one could cause this scenario. I've seen them take down rather large networks.

Ok so basically I can't do anything about this . Is this anyway I can block incoming traffic from that address if I'm not on a router?

 

[spidey07]

call tech support.

if you are seeing ICMP unreachibles from that address as a substancial amount of traffic then something is not right and the school can shut that port down. it would help if you recorded the mac address of the 192.168.1.1 machine from your captures and provide that to them.

 

[Mo0o]

Ok, I've alleved this situation by plugging a router between my computer and the wall.

 

[RebateMonger]

Well, if the router IS backwards, you can set your IP address to 192.168.1.10/255.255.255.0 and probably set up his router http://192.168.1.1.

KnickNut3 is reporting NetBIOS traffic on TCP Port 138. So you can probably get a MAC address. But I still imagine the router has to be found with elbow grease.

 

[spidey07]

Originally posted by: Mo0o
Ok, I've alleved this situation by plugging a router between my computer and the wall.

gaaa!

did you not read what I posted. those things are what can cause the problem.

call your school and see if they allow this.

 

[Mo0o]

Originally posted by: spidey07

Originally posted by: Mo0o
Ok, I've alleved this situation by plugging a router between my computer and the wall.

gaaa!

did you not read what I posted. those things are what can cause the problem.

call your school and see if they allow this.

How do I know if I've misconfigured my particular router?

 

[spidey07]

if you just plug it in with default settings, put the wan port to their network and your machines on the lan ports you'll be fine.

But do read your school's policy on the use of network gear on their network.