Jump to content

Recommended Posts

Posted

Just a couple of days ago (after my old USB modem stopped functioning) I bought and installed a new ADSL Firewall Router Modem Netgear DG834. I'm connected to the TRUE. My question is about the strange amount of sent and received traffic that shown when clicking on the double monitor icon (in the system tray). First of all, my old USB modem showed the traffic in bytes, and the new one is measured the traffic in "Packets". Aside from this, the Sent traffic is much larger then the Received. It supposed to be the opposite, isn't it?

Here is how it looks:



Capture2-23-07.gif

Is something wrong with my system?

--

I also subscribed and received some strange emails from the modem:

Subject: NETGEAR Security Log [ac:93:a7]Sun, 2002-09-08 12:00:19 - Initialize LCP.

Sun, 2002-09-08 12:00:19 - LCP is allowed to come up.

Sun, 2002-09-08 12:00:19 - PAP authentication success

Sun, 2002-09-08 12:00:25 - Send out NTP request to time-g.netgear.com

Thu, 2007-02-22 01:45:45 - Receive NTP Reply from time-g.netgear.com

Thu, 2007-02-22 01:45:20 - Router start up

And every couple of minutes it sends reports that email was sent successfully.

Posted

Don't sound right at all to me fella.

Try a PM to Twais or Cdnvic, 2 trusted voices in matters of this type....

redrus

Posted

Can't tell anything for sure but it's acting as if you've gotten your system infected and turned into a spambot. The good ones only send out mail at low volumes like this to avoid detection. Without more information I can only tell you to do a deep system scan with a good antivirus and one or two antispyware programs.

What exact message are you getting regarding succesful emails, and is it the same message you get when you send an email from your computer?

If you don't use pop email you can just disallow the use of port 25 to outgoing traffic. That will cut many rogue mail servers off at the knees.

Your log results:

NTP is just sending out a system time request, no biggie, LCP and PAP should just be your logging into your ISP.

Sun, 2002-09-08 12:00:25 - Send out NTP request to time-g.netgear.com

Thu, 2007-02-22 01:45:45 - Receive NTP Reply from time-g.netgear.com

As you can see, the first entry shows the time is set wrong and the second entry shows the correct time after the NTP reply from Netgear.

Of course True may have some weird setup that is causing this and that is beyond me as I'm not in a position to comment on it having not used them.

Posted
Just a couple of days ago (after my old USB modem stopped functioning) I bought and installed a new ADSL Firewall Router Modem Netgear DG834. I'm connected to the TRUE. My question is about the strange amount of sent and received traffic that shown when clicking on the double monitor icon (in the system tray). First of all, my old USB modem showed the traffic in bytes, and the new one is measured the traffic in "Packets". Aside from this, the Sent traffic is much larger then the Received. It supposed to be the opposite, isn't it?

Here is how it looks:



Capture2-23-07.gif

Is something wrong with my system?

--

I also subscribed and received some strange emails from the modem:

Subject: NETGEAR Security Log [ac:93:a7]Sun, 2002-09-08 12:00:19 - Initialize LCP.

Sun, 2002-09-08 12:00:19 - LCP is allowed to come up.

Sun, 2002-09-08 12:00:19 - PAP authentication success

Sun, 2002-09-08 12:00:25 - Send out NTP request to time-g.netgear.com

Thu, 2007-02-22 01:45:45 - Receive NTP Reply from time-g.netgear.com

Thu, 2007-02-22 01:45:20 - Router start up

And every couple of minutes it sends reports that email was sent successfully.

It looks to me that the system is not infected at all. The OP obviously does not have a clue what is going on and calls every message from the router an “email”.

As cdnvic already pointed out the NTP (network time protocol) connections are nothing to worry about.

Blocking all sort of ports, how usefull sometimes, seems a bit risky for this user as he might end up being unable to use the smtp port at all and not send any email any more.

About the lot of sending, this one is easy, look at you posting, the picture shows that you are looking at the Ethernet side (connection between the router and your PC, 100 Mbps) and of course if you are supposed to be receiving a lot and sending less, the ADSL-modem has to do the reverse.

It is sending a lot (to you) and receiving much less.

Joop

Posted

Thanks for the replies mates.

I was also thinking of infections, but... am running Kaspersky Anti-Virus and lots od Anti-Spyware programs. My system is reported as clean.

Since I am operating a website, there are a lot of email spam coming my way on a daily basis.

The messages from the router:

--

Wed, 2007-02-21 16:00:19 - Send E-mail Success!

Wed, 2007-02-21 16:57:36 - LCP down.

Wed, 2007-02-21 16:57:38 - Initialize LCP.

Wed, 2007-02-21 16:57:38 - LCP is allowed to come up.

Wed, 2007-02-21 16:57:38 - PAP authentication success

--

Tue, 2007-02-20 16:00:09 - Send E-mail Success!

Tue, 2007-02-20 16:11:21 - UDP Packet - Source:38.100.26.220,7881 Destination:58.8.183.199,61415 - [DOS]

Tue, 2007-02-20 16:11:30 - Send E-mail Success!

Tue, 2007-02-20 16:34:47 - Administrator login successful - IP:192.168.0.2

Tue, 2007-02-20 16:46:44 - Administrator login successful - IP:192.168.0.2

Tue, 2007-02-20 16:56:45 - Administrator login successful - IP:192.168.0.2

Tue, 2007-02-20 16:57:29 - LCP down.

Tue, 2007-02-20 16:57:31 - Initialize LCP.

Tue, 2007-02-20 16:57:36 - LCP is allowed to come up.

Tue, 2007-02-20 16:57:36 - PAP authentication success

--

The most of them are as following:

Wed, 2007-02-21 14:00:39 - Send E-mail Success!

--

Wed, 2007-02-21 13:00:19 - Send E-mail Success!

--

Wed, 2007-02-21 08:00:08 - Send E-mail Success!

----

Could it be somehow releted to the settings in BIOS ? Something related to the network or similar...

Posted

The latest email:

Subject: NETGEAR *Security Alert* [ac:93:a7]

UDP Packet - Source:38.100.26.220,7881 Destination:58.8.180.110,7996 - [DOS]

Posted

That is most likely a bittorrent client. Just background noise. "Security alert" is the router's way of making you feel it's doing it's job.

Posted

Condo_bk, your router supports sending out e-mail alerts!

From netgears' website:

Logs browsing activities and provides optional e-mail alerts so you can monitor access
For example next:
Tue, 2007-02-20 16:11:21 - UDP Packet - Source:38.100.26.220,7881 Destination:58.8.183.199,61415 - [DOS]

Tue, 2007-02-20 16:11:30 - Send E-mail Success!

looks like the built in firewall detected a suspected DOS attack (Denial Of Service attack) comming from IP address 38.100.26.220. It succesfully blocked this attack, and to me it seems that immediately afterwards your router sent of an e-mail to an (now anyway) unknown e-mail address.

This is used quite often to let system administrators know what is happening when they're not on location...

So I guess you'll have to seriously study the manual from your router to find out where to change the settings of the e-mail alerts!

Good luck :o

Monty

PS, just saw cdnvics post, he's probably right in that the probe the firewall thinks is an attack actually is a P2P server or bittorent server talking to your client ...

Posted

Thanks folks.

Yes, I did activated the "email upon alert" function in the router. cdnvic asked me to see the actual email messages, so I have posted them.

I also check my Internet broadband speed:

Download Speed: 223 kbps (27.9 KB/sec transfer rate)

Upload Speed: 92 kbps (11.5 KB/sec transfer rate)

What else should I check?

Posted

It doesn't look like you need to check anything on the router - the email messages are just warning you that your router is dropping unsolicited incoming traffic, which is totally normal and nothing to be concerned about. I'd turn the messages off as they're unlikely to be of any use to you.

With regard to the incoming vs outgoing traffic, you are right that most people using the web etc will have less sent than received and if you think your numbers aren't right you should check it out.

You should first decide if the traffic is reasonable given your activities. It depends on what you are doing, my current web-browsing session shows sent about 1/3rd of received. If I was uploading big attachments to a webmail service or to forums the numbers might be different.

You could try disabling/enabling the interface to zero the counter, then leave it open next to your web-browser and keep an eye on it. If your machine is sending out a lot of data without any interaction from you, then you definitely should find out which program is doing it and why.

If you want to look closer at what network connections you have, then I'd try using TCPView from Sysinternals, it shows all network connections in real time:

http://www.microsoft.com/technet/sysintern...ng/TcpView.mspx

Posted

Indeed, my concern is the incoming vs outgoing traffic.

Just as soon as I boot my PC and open an Local Area Connection Status window, I already see that outgoing traffic is twice as incoming (without me doing something).

My router have an option called "Reboot the Router", and as soon as I press that button, I see the same results as well.

I do watch the double monitor icon in the system tray and don't see any strange activities.

Since the traffic is measured in Packets, I don't know what is normal/reasonable anymore... But my incoming traffic should be much higher than outgoing.

Here is my TcpView log:

[system Process]:0 TCP michael:9100 localhost:3287 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3270 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3268 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3265 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3267 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3279 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3284 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3266 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3280 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3281 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3277 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3269 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3273 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3276 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3274 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3275 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3282 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3283 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3278 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3291 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3290 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3272 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3295 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3293 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3285 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3286 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3288 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3289 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3292 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3296 TIME_WAIT

[system Process]:0 TCP michael:9100 localhost:3271 TIME_WAIT

alg.exe:2324 TCP michael:1050 michael:0 LISTENING

avp.exe:1736 TCP michael:1110 michael:0 LISTENING

Awc.exe:420 UDP michael:1031 *:*

DkService.exe:2016 TCP michael:31038 michael:0 LISTENING

explorer.exe:1928 UDP michael:2735 *:*

Gigaget.exe:512 TCP michael:3077 michael:0 LISTENING

Gigaget.exe:512 UDP michael:1358 *:*

GoogleDesktopDisplay.exe:712 TCP michael:1193 localhost:9100 ESTABLISHED

GoogleDesktopIndex.exe:568 TCP michael:4664 michael:0 LISTENING

GoogleDesktopIndex.exe:568 TCP michael:3058 localhost:9100 ESTABLISHED

GoogleDesktopIndex.exe:568 TCP michael:1455 localhost:1110 CLOSE_WAIT

GoogleToolbarNotifier.exe:2144 TCP michael:1953 localhost:9100 ESTABLISHED

GoogleWebAccClient.exe:2928 TCP michael:9100 michael:0 LISTENING

GoogleWebAccClient.exe:2928 TCP michael:9100 localhost:3058 ESTABLISHED

GoogleWebAccClient.exe:2928 TCP michael:9100 localhost:1045 ESTABLISHED

GoogleWebAccClient.exe:2928 TCP michael:9100 localhost:1193 ESTABLISHED

GoogleWebAccClient.exe:2928 TCP michael:9100 localhost:1953 ESTABLISHED

GoogleWebAccWarden.exe:3016 TCP michael:1045 localhost:9100 ESTABLISHED

Maxthon.exe:3596 UDP michael:1230 *:*

msimn.exe:3732 UDP michael:2689 *:*

StarWindService.exe:3048 TCP michael:3260 michael:0 LISTENING

StarWindService.exe:3048 TCP michael:3261 michael:0 LISTENING

svchost.exe:1160 TCP michael:epmap michael:0 LISTENING

svchost.exe:1296 UDP michael:ntp *:*

svchost.exe:1296 UDP michael:ntp *:*

svchost.exe:1412 UDP michael:1025 *:*

svchost.exe:1536 UDP michael:1900 *:*

svchost.exe:1536 UDP michael:1900 *:*

System:4 TCP michael:microsoft-ds michael:0 LISTENING

System:4 TCP michael:netbios-ssn michael:0 LISTENING

System:4 UDP michael:microsoft-ds *:*

System:4 UDP michael:netbios-ns *:*

System:4 UDP michael:netbios-dgm *:*

Posted

It's comforting you don't see anything unusual happen in terms of timing, however the proportions do sound a bit strange.

There are number of ways to isolate which program is doing what, and the simplest would be to:

- Close all network-active processes and confirm no network activity

- Use your normal browser and check for normal activity

- If not normal then install alternative browser (Firefox, Opera) and confirm

- Activate the other network-active programs individually and see if you can isolate which program is sending off loads of data.

The way I'd recommend would be to install a personal firewall, for this purpose I'd recommend Kerio:

http://www.sunbelt-software.com/kerio

The monitoring screen in Kerio is just like TcpView but better - because it logs the volume of traffic too, it will tell you straight away what is happening. After installation you have to go through the process of creating rules for your various applications, however once it is running normally you can enable/disable access for individual programs, selectively log their access, and see which applications are doing what. This method is a bit more difficult but you will end up knowing a lot more about what is going on and having total control over outbound access.

The processes I'd be most interested in are:

Gigaget.exe - download manager

All the Google Desktop/web accelerator stuff

Maxthon

msimn.exe - Outlook Express

Posted

Traffic associated with DCHP, discovery etc would be insignificant when compared with normal browsing traffic unless there are actual file transfers going on. However, traffic <> packets, and packets are what Condo is looking at.

Considering there's no indication of infection, I'd tend to think that this is caused by programs making a lot of small requests rather than actually a lot of data going out, and Windows networking stuff could definitely be contributing to this. However the only way to be sure is to monitor with a firewall or some other mechanism which counts bytes.

Posted

As I stated in my initial post, previously I was using an USB modem (which had measured the traffic in bytes) and the incoming traffic was much higher than outgoing - i.e. normal operation.

I have not noticed any abnormalities in my system after installing the Netgear ADSL Router DG834, rather then the disparity of incoming vs outgoing traffic.

This router has an integrated firewall and the following specs:

Standards: IEEE802.3, IEEE 802.3u

Protocols: Static and Dynamic Routing with TCP/IP, VPN passthrough (IPSec, L2TP, PPTP), NAT, UDP, RIP, PPPoE, PPPoA, Classic IP, DNS, DHCP

Security: Stateful Packet Inspection, Intrusion logging and Reporting, Denial of Service protection; NAT traversal (VPN pass-through) for IPSec, PPTP and L2TP VPNs

Ports: LAN Ports: Four (4) 10/100 Mbps auto-sensing, Auto Uplink RJ-45 ports; WAN Port: ADSL RJ-11, T1.413, G.DMT, G.Lite, ITU Annex A.

In addition to this, I am running COMODO Firewall Pro, and a NVIDIA Firewall that comes with my MB (ASUS A8N-SLi Premium).

My system specs are as following:

--

OS - Win XP Pro SP2 and IE v.7

CPU - AMD Athlon 64 X2 3800+ @ 2000MHz

MB - ASUS A8N-SLi Premium w/(2x1024) 2GB Corsair DDR 400MHz

HDD - 300GB Seagate Barracuda 7200.9 16MB SATA-II NCQ

VGA - ASUS eXtreme Nvidia GeForce N6600GT 128MB DDR3

PSU - CoolerMaster Real Power 550W

Case - CoolerMaster Centurion 532

--

Posted
This router has an integrated firewall and the following specs:

In addition to this, I am running COMODO Firewall Pro, and a NVIDIA Firewall that comes with my MB (ASUS A8N-SLi Premium).

three firewalls???

Posted

In that case, you've got all the tools you need to confirm. As I mentioned in a previous post, a lot of packets doesn't necessarily mean a lot of traffic, it means a lot of requests. You need to measure bytes to know about traffic or volume of data. Check the Comodo status page and see if there are any applications with unusual proportions of incoming to outgoing bytes and you'll have the answer you need.

I did a very quick check on my notebook which displays packets and the numbers were quite different, the sent was less than received but not by much.

If you don't notice traffic when you aren't initiating it, and the received/sent bytes look reasonable then I wouldn't worry about the packets issue. The way to be even more sure is a packet capture using a program like ethereal/wireshark, if you are still concerned then go for it.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...