Hi,

I just got a new PC (WIN-XP-Pro (legal!))

We have three other PCs (2 WIN-XP and one WIN98) on an ADSL router.

I observed constant data traffic between the new PC and one other WIN-XP PC.

All PCs are clean (spyware/Virus).

When I disable 'file/printer sharing' on either one of the affected PCs the traffic stops.

All running process on both PCs are the ones which should be running as far as I can judge.

HDD indicators:

on the older PC the red light is almost constantly on with occasional blinking, on the new PC the HDD activity light is very low (running on-off at high frequency).

First I thought this may have something to do with the PCs indexing the files but after 5 days (not 24/7 - the new PC is only on for 2-3hrs. a day for now) it is still going on and I have some doubts as to what may be running, causing the two PCs talking to each other all the time.

How can I find out which PC is the initiator of the traffic and which process/program is responsible for it?

All other data traffic to/from the other PCs and the Internet via the router are accounted for and correct. The problem is only between the two PCs on the LAN.

Any ideas?

opalhort

That's most likely NetBios traffic resulting from file and print sharing being enabled. It's nothing to sweat unless you want to squeeze every last drop of bandwidth.

Install ethereal on one of the PC's then run a packet capture to see what the traffic is. Sounds pretty normal if you're sharing a printer or file share from one to the other.

How can I find out which PC is the initiator of the traffic and which process/program is responsible for it?

Download and run TcpView from here:

http://www.microsoft.com/technet/sysintern...ng/TcpView.mspx

From sysinternals.com: ... it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. You can use a toolbar button or menu item to toggle the display of resolved names. On Windows XP systems, TCPView shows the name of the process that owns each endpoint.

I'd agree with previous posters that it all sounds very normal, but it's good to check.

Thanks for all your replies and links.

I used the TcpView.

the traffic originates from the new PC, process: System4, address:netbios-ssn and microsoft-ds

(whatever that means)

I was only wondering why this has been going on for so many days already, but it appears to (hopefully?) harmless.

opalhort

Thanks for all your replies and links.

I used the TcpView.

the traffic originates from the new PC, process: System4, address:netbios-ssn and microsoft-ds

(whatever that means)

That is normal traffic for file/print sharing then.

nothing further to add... but its interesting (in a dull networky way) to, as suggested, run ethereal and actually watch the various protocol traffic passing from a to b