December 19th, 2012, 03:08 AM
Help identifying network device
There are 2 routers on a remote support network a back up and main one. None of the network devices we are aware of are configured to use the backup router but we have found that all of a sudden we have that packets are being routed to the backup router and we do not know what device or application is doing this. I am trying to find a way to identify what device/application is doing this.
Network setup - client server hybrid network where server holds a central database and is also a DNS server.
main Router = default gateway for all endpoints
Server = DNS server and database server
workstations = run applications locally but write information back to database server.
I was thinking of using wireshark or Nmap but I am unfamiliar with those tools and not sure how to go about the task. The server is an old Win2000 server and not much RAM so I can't install anything fanciful.
Can someone please advise me what to do.
Please let m know if you require further information.
December 19th, 2012, 12:36 PM
Wireshark is pretty easy to use, the trick (if you can call it that) is reading the results. I have a portable version on my USB key.
When you start it up as an admin it'll show you the interfaces it can listen on. Start listening on the right one; if you're not sure which the toolbar button to start listening will pop up a dialog and it'll show you packet counts as they happen, then you can see which one is getting traffic.
Then let it run for a minute or so, until you think it's gathered enough data for you to look at. First thing to check is the IP address that isn't the computer (probably the source address). That should be enough to tell where the packets are coming from.
To see what the data is look at the destination port, description from Wireshark, and maybe even the data inside. Odds are it'll include ports like 53 (DNS) or 137-139 (NetBIOS) to the router itself, but more interesting would be packets that go through the router to the outside world. Probably some of port 80 for HTTP; look in those packets to see what hostname they're going to since that's the quickest way to determine what the source program is.
For long-running connections that you're unsure of you can note the source address and port, go to that computer, and check its open connections (like TcpView, I have that on USB too) to see the actual programs using them.
December 19th, 2012, 09:32 PM
tcpview from sysinternals.com might do the trick for you too, it's simple and lightweight for simply identifying network traffic source/destinations without looking at the data itself.
The sysinternals suite is a required part of all my windows installs.
edit: Oops, I see requinix already mentioned tcpview. Sorry about the duplication.
Comments on this post
It is a truism of American politics that no man who can win an election deserves to. --Trevanian, from the novel Shibumi
December 29th, 2012, 04:43 AM
Thank you everyone for getting back to me. The device was discovered by a colleague (by elimination) so I ended up using wireshark just for information / learning purposes. It gave me quite useful information and I think I must learn to use it better.
I haven't posted on many forums before but I have gotten answers from a lot. I have found in a lot of cases people don't come back to say thank you or if the suggestions worked or not. So thanks again to all that responded.