Netlimiter / Process Explorer boffins ?

daveza

daveza

Honorary Master
Joined
Apr 5, 2004
Messages
49,724
Reaction score
21,461
Location
Durbanville, Cape Town
I'm stumped.

Have a client connected to a terminal server flat-lining bandwidth.

If I run Netlimiter on the trmsrv it shows DL's to her pc from system/Process 4/her ip.

If I kill this process the rdd graphs return to normal for a period before it starts flat-lining again.


If I run process explorer on the trmsrv and monitor it, when I kill the process on Netlimiter I don't see any change under her profile on process explorer.

How do I find out what is chomping the bandwidth ?
 
1) Use NetLimiter to find out where the traffic is going (what Internet IP address), as well as the Process Id that is generating the traffic
2) If it is a service that is the cause of the traffic, then use Process Explorer, by hovering your mouse pointer over that specific PID (Process ID) to see what services are running under that process.

Usually it is either like Windows updates or a virus that would run as a service and cause lots of Internet traffic.

Feel free to post the details here if you don't know what to make of the service names and/or IP addresses.
 
Netlimiter shows System - Process 4 - 172.xxx.xxx.xxx:445

How do I get it to show the PID ?

Edit: Ah, The Process 4 IS the PID.

Question - under process 4 is a long list of terminal session IP's, only one of which is generating chunks of traffic. How do I isolate that specific IP on Process Explorer ?

Process Explorer PID 4 shows NT AUTHORITY\SYSTEM
 
Last edited:
This is where I would look :D

Could be an Windows update.
Could be an application update in a loop.
Could be a huge email stuck in the outbox (keeps trying to resend and fails).
Virus or Malware (most likely this)

Who/what owns that IP? If Microsoft owns it, its an update. If its her mail server it could be an email in a loop, etc.

I see its using port 445: http://www.grc.com/port_445.htm Looks like you could have an infection and someone is either copying all your data, ddossing or worming from it.
 
Last edited:
It's a client working on an app on the terminal server ( client is in CPT, Trm is in Joburg. )

All other users connect to the same app on the same trm on port 445 - only this connection causes flooding. It's easy to kill the process on Netlimiter but it eventually starts again - not sure whether the client initiates it or it's automatic.

Netlimiter is on the local pc and the trm - the CPT one shows outbound to the trm, the trm shows inbound traffic from the local pc.

None of the other workstations make a dent on the graphs, just this one that flat-lines. I'm stumped as to what is different.
 
daveza said:
It's a client working on an app on the terminal server ( client is in CPT, Trm is in Joburg. )

All other users connect to the same app on the same trm on port 445 - only this connection causes flooding. It's easy to kill the process on Netlimiter but it eventually starts again - not sure whether the client initiates it or it's automatic.

Netlimiter is on the local pc and the trm - the CPT one shows outbound to the trm, the trm shows inbound traffic from the local pc.

None of the other workstations make a dent on the graphs, just this one that flat-lines. I'm stumped as to what is different.
Click to expand...

Ok, I know nothing about terminals. What about a gammy NIC?
 
what process is generating the traffic? or did i miss that?
 
A print job stuck on her printer on the TS?

Is her RDP client setup identical to the rest? /Drive mapping and sound redirection enabled on her RDP client etc?
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X