I have a small home network, consisting of no more that 8 computers. One W2k SP3 server, one W2k SP3 machine (mine), five WinXP computers and one oldie Win98se one, used as mp3 player box + ICQ by my brother, when come home from college.
The problem is traffic. Using WGR614v1 NetGear router and FS108 NetGear switch behind it, for some, not ping critical, computers.
The problem?
There is still traffic, even when I disabled everything. First thing is, that I disabled response on ping on WAN port of the router - that way, if someone pinging me, it just generate DL traffic, not precious UL traffic - my damn ISP offering only very low UL speeds on modems, currently only 384/96 :mad:
The problem is, that when I stop everything, every applications that can access net, I still got traffic. About 3-4k DL and 200-400bytes UL.
It bother me, because this is simply something beyond my control.
With a very simple test, simply unplugging every machine from power outlet, I find, that for the UL traffic is responsible the Win2k SP3 server machine. Dunno why, but since the OS is clean and there is no spyware (not used for surfing machine) or something other, nasty, software - it must be the windows itself, trying to communicate back to Microsoft, I think.

So, I looking for solution - like banning the server it trying to communicate using hosts file, or banning the port in the router. Anyone have clue, how I get rid of this unwanted traffic? It also looks like that removing the Win2K SP3 machine get me rid of most of the unwanted DL traffic that appears from "nowhere"... ;)

Suggestions, friends, please...? :)

Can you add any more information? What services/servers are you running on your win2kserver machine? Also have you found what ports are being used for this traffic? I'm running win2K3 server here and I don't notice any unwanted traffic.

I definitively WILL add more infos ASAP ;) (if it helps eliminate the problem...) The server is used a APPLICATION server, so, it means that it run macroexpress, some little custom made utilities and eMule for P2P - also it serve as local webserver (apache + PHP + mysql) - huwever all this can be disabled and the traffic still happens :mad:
It driving me mad.
I did not yet use sniffer, like Ethereal, to find out, what trafic this is - I believe that someone already found a solution and kill it - I just wanted shortcut, eh... :rolleyes:

One user on Broadband forum already suggested that:

Terminal Services install on W2K Server, then yes, it will "phone-home" to MS, to communicate with some master TS licensing server

...witch seems to be it. Of course I has to use terminal there, however how to "deal" with this "phone-home"?
I have the server licensed, of course, and registred, but I just don't want aditional traffic to happen.

What bother me is the unknown internet traffic. I want it to be gone, because when it apear again, it's obvious that one of my boxes are infected. Now a little trojan traffic sure can hide... :(

Any possible help?

http://doublescan.wz.cz/traffic.gif

While the server is running, do a "netstat -a", that'll give you information about open and active ports, IP addresses and port numbers. Then create firewall rules on your router to block traffic to those IP addresses and ports.

Also, your P2P is going to be a problem.. even if you don't offer a file anymore or have stopped the client, it takes a while for those changes to propagate the net and in the meantime, people will still try to connect to you.

Last but not least, there is some idle traffic.. you can unplug all your PCs and the router will still communicate with the DSLAM.. it needs to keep the connection open somehow after all. Though that is traffic you cannot track unless you have a way of splicing into the signal and analyze it.. I'm sure your Telco operator would have the equipment, but that's not something usually available to end users.

Hi, clueless noob Doom9 :D
Good idea!
But when I tried the netstat -an after closing eMule (in about 2min), the resulting number of connections is, eh, overhelming at least. Several pages scoled and the buffer set to 3000 lines it not big enought ;) Anyway, I restarted the server and did a clean boot and:

http://doublescan.wz.cz/netstat.gif

...there is nothing suspicious (and simply nothing that can generate traffic, tought the traffic during restart of the server drop to zero (hooooray!), however get back to standard rate when it booted up again. Damn.
Im affraid that netstat -an simply did NOT show the windows "home-call"... :mad: Damn M$!

And no, I have cable connection and the traffic on router is reported ZERO (at least the UL traffic, DL continue to happen, tough) when the server is restarting/offline.
So no, this is not the case.

Luckily I can at least disable the ping response, so anyone who ping my IP did not generate also UL (not just DL) traffic. Like I say, with just 96k UL this IS important.

BTW, little update - running services on my server - suggestions to disable some unnecessary ones are welcome :devil:
http://doublescan.wz.cz/services.gif

I just tried to disable every services to see, witch one cause the problems - however few can't be disabled :(
Terminal services are among them, so... :mad:

Anyone know/can determine the IP/DNS address of the TS licensing server? I will then add it to hosts file, like:
127.0.0.1 tslicense.microshit.com
...so every access to "tslicense.microshit.com" will go to the local machine - effectively blocking the traffic w/o any problems :D

Could be the negative netstat check test related to the fact, that the server is behind a firewall? :rolleyes:

I mean - what if - the outgoing traffic is simple server requests for response from "master Microsoft server" and the incomming traffic is the response, however, it will not reach the server, so it looks like it continue forever :(
IMHO it could be it.
The MS server see my IP, as the source, but the IP of the server on local network behind the firewall just does differ from the external IP, so... The reply can't reach the machine, if MS aren't have this Terminal Services licensing stuff ready for proxyservers and FW/routers in general...
(just like direct connections on ICQ/AIM)

Could be? :(

It is normal when you have windows pc sharing folders through the network. Pcs are scanning the network for available resources. It is less with win2k but certainly for XPs.
You can use a packet sniffer to figure out what is being transmitted.

neo75903 - i never care much about LAN traffic. What bother me is the WAN traffic, outside my network, to the internet. More precisely - the Win2k server "phoning home" with the Terminal Server licence thing... :o :( :mad:

Ic, maybe someone stumbled on your network?
I have around three networks in mey neighbourhood and they generate all sorts of traffic on my WAN.
Anyway it cann be all sorts of things, good luck hunting.