Strange Network Problem.

[Jackal65]

Friends of ours have a very strange problem and I can't seem to figure it out.

So the network upload stream remain saturated to the point that games, video calls and even discord will disconnect randomly. At first we suspected it might be the ISP connection and they where contacted. They found no problem and the line is running at full speed of about 100Mbps up/down. Next all the network cables was replaced with new cables to rule out any problems. It is a simple home network that runs CAT6 and all the devices are directly connected to the ISP router.

What we found on the usage panel was strange, the majority or the usage was upload traffic. The download traffic is minimal. After using a few tools to identify each device on the network we ruled out any outside connections. We ran spyware tools, antivirus tools to rule out malware and the computers had no known infections. The upload traffic is at a point just saturated.

I was wondering if there is a tool that is not Wireshark that can show active up/down traffic of each IP address. Then we can Identify what system or phone is saturating the network. I am not aware of anyone doing streaming on Twitch/YouTube or if anyone is running any type of private server. But I am hoping the tool can point that out. I have tried free tools but they lack the functionality to truly inspect upload download traffic in a simplified form.

Any suggestions on free tools that can maybe give us a clearer view on what is happening.

 

[Sinbad]

Disconnect each device in turn to identify which one is causing all the traffic.

Also consider perhaps your router has been compromised and is part of a ddos botnet?

 

[B-1]

What's wrong with wireshark?

 

[Jackal65]

Disconnect each device in turn to identify which one is causing all the traffic.

Also consider perhaps your router has been compromised and is part of a ddos botnet?

Do I understand you correctly, you said the router might be compromised? The user has no access to the router, the ISP refuse to give them access as a security measure.

How would a router get infected in this way. I did suggest they take all the devices offline and teach each one but due to the nature of their home office it might not be possible. I will ask again. Because I 100% agree it should figure the problem out.

What's wrong with wireshark?

The user don't really understand wireshark all that well and I guess it is above their technical skill. I don't want to mess with their network directly so I am just spitballing suggestions.

 

[KantSnyer]

Had a similar issue couple years back, turned out to be a compromised CCTV DVR intermittently maxing out the line upload.

 

[B-1]

The user don't really understand wireshark all that well and I guess it is above their technical skill. I don't want to mess with their network directly so I am just spitballing suggestions.

Then process by elimination is probably the only way. Plug everything out and plug them in one by one and see if the issue is there after adding the device.

 

[William1102]

Does the router not have bandwidth monitoring for each device ?

Even my basic AX3 or Asus router can do that and I can see which device is using bandwidth

 

[TheSlinger]

I'd start by changing ISP's, if they are paying for the router they should have full access to it.

 

[Conack]

You can also request access from your ISP.
However, agreed on simply plugging only one device in at a time. (Or even zero first, as there might be a Phone/tablet suddenly uploading a backlog of 50gb of Google Photos which would explain the massive uploads)

 

[Jackal65]

Does the router not have bandwidth monitoring for each device ?

Even my basic AX3 or Asus router can do that and I can see which device is using bandwidth

The ISP refuse to give access to the router itself, why I can't tell you because it is stupid, it is your network you should have access to it.

 

[Jackal65]

Can those dogy R500 Android TV boxes be responsible?

 

[Jackal65]

Grabbed all the suggestions here and emailed it to them, they can have a read and figure it out. Thanks for the help. If they report back I will post it here.

 

[gregmcc]

Can those dogy R500 Android TV boxes be responsible?

For sure. Could be compromised. What addons are installed? Maybe running a torrent?

 

[Jackal65]

For sure. Could be compromised. What addons are installed? Maybe running a torrent?

That is what I don't know. They must turn everything off and turn each device on again and have a look. It will cost them a weekend maybe but worth it in the end.

 

[Sinbad]

What's wrong with wireshark?

Wireshark is only good for examining traffic on the device it's installed on unless you have a span/monitor port set up on the switch, which in this case I doubt.

 

[Jackal65]

Wireshark is only good for examining traffic on the device it's installed on unless you have a span/monitor port set up on the switch, which in this case I doubt.

Nope, nothing like that, that is why I didn't push them to use it. I think the process of elimination is the best course of action here. I send them a link to this thread so if they have questions they can ask me to ask you or ask directly. I think it is a dodgy android TV box. Those things are poison to the home network.

 

[HAL 9000]

 

[A3@MBB]

If you don't have access to the router, how do you know upload is saturated?
Try a different router first and see if its perhaps not a QoS issue.

 

[gregmcc]

I'd start with the router (if you can replace) and work backwards.

Can you run a continuous ping to 8.8.8.8 and does it show high latency. Hopefully it does.

Then start disconnecting devices and watch if the ping improves.

 

[syntax]

When did this start?
It could be something malicious, or depending on the size of the network and devices, could be a change in cloud syncing services or mailbox syncing services with something going wrong on the sync.

I've had a google drive sync problem where it just kept trying to upload data but for whatever reason was having sync issues, so continuously kept trying.

As someone said, how are you determining now that it is saturated? Your AP's might give you some details if you cant get from the router? The suggestion of turning everything off one at a time could be viable in at least figuring out where this is coming from, if you have a mix of wireless and wired, you can kill each of those.

Without actual traffic visibility, its going to be a one by one process of elimination. Most laptops and phones have traffic visibility stats you could look at.