3rd hard drive increases network utilisation

I have a couple of SATA drives configured in Stripe mode, from which I boot Windows XP (Pro, SP2).

I have another three SATA drives from a prior system which I connected to this one (configured as IDEs). When I connected them, I noticed an increase in network utilisation - spikes of 0.16% of my bandwidth every second or half second or so (~16Mb broadband).

I've narrowed it down to one of the drives being the culprit, though I have no idea what the cause is. Does it sound like some kind of trojan?

I'm planning to install a firewall or monitor that might tell me the origin of the spikes.. I seem to remember BlackIce used to have useful info. Does anyone know of any software (preferably free) that's likely to tell me what is happening?

I'm also in the middle of trying to recover data from one of the other SATA drives, as it is failing (SMART reports a problem), and keeps causing freezes. Resetting, waiting for the drive to cool a bit and then rebooting seems the only way to access the drive, and even then a couple of folders just freeze the system when I click on them in Explorer. I'm considering putting the drive in the freezer for a while, in a ziplock bag!

 

.16% isnt anything you should be worried about... you can open a browser and see a spike of .1. jumping the gun and thinking you have a trojan is a little extreme.

 

Ah right, but this doesn't happen when I don't have that particular drive attached. Also, with the drive attached, the spikes happen (at a seemingly constant rate) with no browser running.. not even Explorer.

Trojan or no trojan, I'd like to be able to narrow this down, identify it and, if necessary, eliminate it.

Here is a screenshot of Windows Task Manager/Network set to high update speed (run over a period of about 30 seconds):

http://img134.imageshack.us/img134/373/wtmnef1.th.png

Without the drive connected, the graph is completely flat.

 

If you are really worried you could have a look at wireshark: http://www.wireshark.org/

Its a network monitoring app that will tell you exactly what is being sent by what from your computer. Apparently youtube has some tutorials also, although I won't comment on there usefulness.

 

yeah youre right. that doesnt look good. i was under the impression that it just spkied every so often, nothing like that though. i'm sorry, i cant help further. try g bombs advice, wireshark is a great tool.

 

Thanks for your help so far guys. Sorry I wasn't clearer to begin with. I should have added that my hard drive makes noises (reading and/or writing?) that roughly coincide with the network activity.

Although I'm pretty knowledgeable with PCs, Internet protocols and networking is by far my weakest subject. I've downloaded and installed Wireshark, and gingerly set about having a first run and looking at some of the info logged.

I noticed a pattern, the largest packet of which is consistently around 700 bytes. It contains the following data:

Code:

/upnp/control/WANCommonInterfaceConfig HTTP/1.1 Content-Type: text/xml; charset="utf-8" SOAPAction: "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1#GetCommonLinkProperties" User-Agent: Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x) Host: 192.168.0.1:xxxxx Content-Length: 315 Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache <?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetCommonLinkProperties xmlns:m="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"/></SOAP-ENV:Body></SOAP-ENV:Envelope>

I ran Wireshark with nothing else running in the background, and minimal processes running. I replaced the port number with 'x's because I'm reasonably paranoid!

If necessary, I'll try to learn as much as possible with regard to TCP and Wireshark etc, in order to try to identify the culprit. If anyone has any pointers though, I'd surely appreciate them!

 

I made a reply but it doesn't seem to have been accepted yet.

Anyway, I installed Wireshark and had a fiddle, but I'm not sure what I'm looking for. There does seem to be a pattern - a regular packet of 700-odd bytes is sent .. something to do with SOAP and Mozilla. I don't know if that's the culprit or not though - there are other regular smaller packets being sent also.

If anyone could give me any pointers, I'd be really grateful.

The bad news is that I disconnected the dubious hard drive and it now appears to have spread to my boot drives. Even BlackIce firewall doesn't seem to stop the traffic.

 

best thing to do to narrow it down would be to close everything that creates any network traffic as well as anything on your other computers that creates traffic on your network. once you do that, try running a capture again for 5 or so minutes. if you want to post your packet capture, i could take a look at it when i get some time.

 

Thanks Steve - I'll try to do that this weekend. What's the best format for it? As an attachment I suppose?

Cheers. I'll keep checking back.

This may seem like an odd question - you don't by any chance like Marillion by the way, do you?

 

Dont leave out port numbers, thats clues to what program/service is working at the time. If its windows xp or vista it could very well just be auto updates checking for updates, which it does regardless of update settings sometimes.