Unknown traffic

Topic

New Reply

Recently I noticed that I am pumping a lot of bytes through my net connection, even when I don’t have much major apps open (like Outlook and FF).

I of course did a spyware/AV check first but it came back clean.

So I endeavored to look closer and I’ve been able to trace the traffic to some thread running under one of those generic SVCHOST processes.

You can see in the attached screenshot that there is a lot going on in terms of the number of threads under this SVCHOST Process, which might make it impossible to isolate which one is causing the traffic.

I do know that when I suspended this whole process, the machine slowly froze and had to be rebooted. However, when I turned off all traffic through the Comodo firewall, I was able to turn it back on hours later w/o any problems.

Does anyone have any ideas on how I might trace this further to find out who needs to transfer approximately 15mb (total bytes up and down) each and every hour? Maybe a packet trace?

Reply | Quote

Replies

That process includes “Background Intelligent Transfer Service” which is used by Windows Update to download updates.

I would guess that this is most likely to be Windows Update working in the background to fetch updates. You could test this theory by turning off Windows Update for a day or two and checking if the traffic disappears.

If you want to actually look at all the network packets to understand what is in them then you could use a network packet trace tool such as ethereal.

Reply | Quote

That process includes “Background Intelligent Transfer Service” which is used by Windows Update to download updates.

I would guess that this is most likely to be Windows Update working in the background to fetch updates. You could test this theory by turning off Windows Update for a day or two and checking if the traffic disappears.

If you want to actually look at all the network packets to understand what is in them then you could use a network packet trace tool such as ethereal.

I’ve heard that MS will be issuing their last patches for 2009 on this Tuesday. So I might consider your suggestion afterwards.

Still, I doubt that is the source of the problem. If this was from MS, then the traffic would be mostly downloading, not almost equal amounts of upload/download traffic. In less than 24 hours since I last restarted the system, this connection has transferred over 200MB (85MB incoming and 120MB outgoing)! Whew.

I did a search on port 5431 and on 192.168.1.1:5431 and found a LOT of hits! I wonder how many other people here might be experiencing this problem but don’t know about it because they don’t have the right tools? What keyed me to the issue was watching Bitmeter2 which I have running in the lower left corner of my screen all the time.

So about 1 hour ago, I decided to try and terminate this connection. I did so through Comodo and so far, it hasn’t restarted itself and everything else seems to be working. Not eI terminated the net connection running under SVCHOST, NOT the SVCHOST process it self.

Until I figure something else out, I may just have to try manually terminating this connection whenever I restart windows (or if it auto starts).

I am going to download Wireshark and get that setup though.

Reply | Quote

Ethereal is now known as Wireshark.

cheers, Paul

Reply | Quote

Many Cable modems are put on the 192.168.1.x scope and 1.1 is a pretty standard address for a router, so it might be traffic going to your cable provider like DNS? Did you try to browse to 192.168.1.1?

Port 5431 is registered to someone at Veritas.com (http://www.auditmypc.com/port/tcp-port-5431.asp) what are you running for backup software?

Reply | Quote

Many Cable modems are put on the 192.168.1.x scope and 1.1 is a pretty standard address for a router, so it might be traffic going to your cable provider like DNS? Did you try to browse to 192.168.1.1?

Port 5431 is registered to someone at Veritas.com (http://www.auditmypc.com/port/tcp-port-5431.asp) what are you running for backup software?

I have DSL, not cable. Anyway, I think DNS traffic is on port 53.

I use Acronis TI for backup. Strictly imaging to local hard drives. Nothing backed up to the net.

I have blocked the traffic in the firewall. I can see the process cycling through many source ports but the destination port is ALWAYS 5431.

Reply | Quote

Well dsl still uses a modem, did you try to browse or telnet to that address?

Reply | Quote

No I didn’t try to browse to the address prior. And I can’t do so easily now because Comodo apparently doesn’t allow for disabling rules. I would have to delete the current rule and then recreate it afterwards. I may try this but I want to think it through first.

Since http://192.168.1.1 is the router address (Linksys WRT54GS in this case), what would be the point of sending so much data to a specific port (5431) on the router???? Doesn’t make any sense to me!

Here is a log sample. Whatever this process is, it seems to vary the source port in an apparent range of 1025-5000 but keeps the destination the port the same.

Reply | Quote

I think it is your machine checking with the router for traffic.
None found, so it will check in again later.

DaveA I am so far behind, I think I am First
Genealogy....confusing the dead and annoying the living

Reply | Quote

I think it is your machine checking with the router for traffic.
None found, so it will check in again later.

No, can’t be. The log is for the IP blocking that I am doing now.

Originally (see 1st post), this traffic is coming from something hung off one of the SVCHOST processes, so it is some sort of system service that is generating the data. There is ~15MB/hour transferred/hour, each and every hour and about 40% (upload) and 60% (download). That is a lot more than checking traffic.

BTW: Blocking this traffic seems not to have had any effect on anything. MY system seems to be running just fine but with a lot less data transfer.

Reply | Quote

I suspect it is the result of some kind of malware that simply was not caught by your antispyware program.

Reply | Quote

I suspect it is the result of some kind of malware that simply was not caught by your antispyware program.

Feh. That would be the easy response. And how did it get hooked into SVCHOST? If you have something more definitive to post, please do so.

Reply | Quote

I think it’s UPnP; SSDP Discovery service, see here and DSLReports.

Reply | Quote

I think it’s UPnP; SSDP Discovery service, see here and DSLReports.

Yes, I saw those posts. However, I turned off both those services and it made no difference.

Reply | Quote

I suggest using TrendMicro HijackThis to search for unknown startup processes, and SysInternals’ Process Explorer to list the internal services registered (in the properties of the svchost process); maybe that way could be determined the culprit. Both utilities are free.

Reply | Quote