Windows 7 - Local Area Network Connection Has Constant Activity?

I have a bit of a problem.

In the last couple of days, my Network connection runs all the time
downloading something or checking something, I am not sure which but it
seem to have a ton of packets sent and received.  But nothing is going
on, most of the time the computer is setting idle - but this activity
just goes on and on.  I am running WinXP with all updates, I have a
Local Area Network to also link my laptop to the network via a Linksys
4-Port Router which I have used for quite some time.  As I said, this
activity just started in the last couple of days and I cannot figure
out what is causing it or how to fix it.

I have the latest version of Norton Antivirus 2012 running, but have
been using this antivirus program for a number of years without this
problem.

Any thoughts on what might be causing this problem?

Thanks
charliec

Measured where?  At the router or at your computer?

If the activity is at your computer, have you tried to monitor what is
generating the traffic and to where it is going?  SysInternals' TCPview
will show you what processes have connections.  You can probably
configured it to hide unconnected endpoints (they have unbound yet).
Nirsoft has their SmartSniff and SocketSniff utilities to let you know
what network traffic is received or sent from your computer.
SocketSniff lets you monitor the network traffic for a selected process,
so use TCPview to see which processes have network connections to then
choose one, or more, to monitor with SocketSniff.  SmartSniff is a
packet sniffer that lets you monitor all your network traffic.  Another
popular packet sniffer is Wireshark.  There are lots of network monitor
utilities available at the download sites (download.com, softpedia.com).

If your router has logging, you could turn it on to see to where all
your intranet hosts are connecting.  Have you enabled the security
settings inside the router to make sure your neighbors or roaming
hackers are not using your router?  "Linksys 4-port router" tells no one
what you actually have.  That does not specify a particular model for
anyone, including you, to go read its online manual to find out what
security features it provides.

Do you have UPnP service enabled (http://en.wikipedia.org/wiki/Upnp)?
Is SSDP (http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol)
service disabled?  If not, why not?  What hosts or network nodes do you
have that actually support it?  What hardware, if any, have you added in
the last few days?

How many wifi nodes, if any, are in your intranet?  If none, did you
leave the Wireless Zero Configuration service enabled?  For info, see
http://en.wikipedia.org/wiki/Wireless_Zero_Configuration.  Do you even
need it if you do have wireless nodes?

You do not mention what problem you are having. If you are just curious
about the traffic, there are some things you can do. Off the top of my
head, and in no particular order:

a)go to Computer Management and expand the Shared Folders branch. Look
at Sessions and Open Files to see if any clues jump out.

b)from a Command Prompt, run "netstat -a" to see what connections are
open.

c)in Task Manager, select the Networking tab and look at the Network
Utilization to see how much traffic is involved.

d)pull the WAN cable from the router to see if the traffic stops. If
it stops, it was LAN-WAN traffic. If it does not stop, it is LAN-LAN
(intraLAN) traffic. Not a definitive test, but helps determine where
the endpoints may be.

e)use a packet capture program such as Wireshark to view the actual
traffic. This will allow you to see the source and destination IP's
and ports, the traffic type, and the actual payload. Expect to be
overwhelmed if you have not been here before.

f)'other' - for everything not mentioned above, including malware
scans with something other than Norton.


I am still not sure what problem you are having. Every LAN has (nearly)
constant activity.

Ak, let me try to take a look at what you offered.  The Linksys router
is the BEFSR41 model.  I will start by trying SysInternals' TCPview and
go from there.

charliec

Ok, I will try your suggestions and see what comes up.

The constant activity is under "Activity"  on the Local Area
Connection Status window, tons of packets are being "sent" and
237,000+ received.  I have never had this kind of activity on the
network when not doing anything.

It also slow down my computer and sometimes freezes it for awhile.  I
need to resolve what is causing it and fix it, but am still a bit at a
loss now - will try your suggestions.

charliec

The problem is, this constant activity is causing my computer to slow
down and freeze at time - did not happen until a couple of days ago.
No new hardware installed.


Sessions had no items - Open Files had no items.


I did that and have a copy of the results, but do not know what to
really look at in the results - can you advise as to what to look at
or for?


It appears to be at 1% or less most of the time.


Looked at the box, but am not sure what the WAN cable is - have 3
cables in it (not including the power cable), one to the computer, one
to the Internet, and one that I can plug my laptop into.


Not sure what Wireshark is - are you referring to the Wireshark
Capture Filters program I saw on the Internet or something else?


I have Spy Sweeper and SpyBot installed, but run them in manual mode
instead of live as to not conflict with NortonAntivirus.  Will run a
scan with them in a few minutes.


The problem is, this activity slows my computer and freezes it at time
- tons of "packets Sent and Received" and constantly increasing.

So if it was not a hardware change in the last few days when this
behavior changed, what software have you installed?  Might be time to
consider a 3rd party firewall so you get prompted when a process want to
make a connection and you can see to where it is connecting.  TCPview
will tell what currently has a connection but it will not show you what had
a connection but is no longer connected plus it is not going to regulate
what can connect to where.

First use the utilities I mentioned in my other post.  Those will likely
show the culprit of the network traffic.  Could be, for example, your
anti-virus, Flash Player, Adobe Reader, Windows Update, and other auto-
update features in several apps that you left configured to do these
background and automated updates without ever prompting you about them.
Any apps you have installed that have an auto-update function should be
configured to ask you for permission to install the update, not just
blindly modify your computer setup.

I am extremely skeptical that the network traffic is the reason why
your computer is slowing down and freezing. There simply is not nearly
enough traffic present to account for that. The traffic could be a
side effect, but not the root cause, so you may or may not be chasing
ghosts.


See what I mean? 1% is not significant.

In Task Manager, keep an eye on CPU utilization to get a feel for
what is normal, and compare that to the utilization when things get
hairy. If the utilization spikes or even max's out as the system
slows, flip over to the Processes tab to see if the offending process
reveals itself. If it is malware, it may not, but it is worth a shot.


The one going to the "Internet" is the WAN cable. If your phantom
traffic is host-to-host within your LAN, disconnecting the WAN cable
will not stop that traffic. However, if something on your computer is
talking to an endpoint on the Internet, then pulling the WAN cable
will make it stop. it is a very crude test.

Take a look at processes running. I have seen wupdate get borked and two
instances attempting to do updates beating each other over the head.

If you are familiar with the processes that should be running and know
the issues when you shut them down you could do that to see if there is
something there.

By "processes running", you mean in ctrl/alt/delete window?

In most cases, I always have MS Outlook 2010 and My Computer minimized
on the toolbar, and nothing else running.  The computer is idle, but
the Local Area Network Icon still shows a lot of activity.  Checkint
it, I see many packets being sent and received on the Network.

it is called Task Manager, and Ctrl-Alt-Del is only one way to access
it. You can also right click on the taskbar and select Task Manager
from the context menu, among others. Once Task Manager is running,
select the Processes tab.


I still do not think network activity is necessarily a bad thing. Did
you ever do any of the things that were suggested to track it down?

I worked with Dell on it and they found a virus on my machine, cleaned
it up and things seem to be going better now.

I guess you will be dumping Spy Sweeper, Spybot, and Norton now, eh?

quote:
on the toolbar, and nothing else running."

You'll have other stuff running.  Probably 30 to 40 things that the OS
wants running to operate, some of which can be stopped manually without
borking the system.

For test purposes you can probably cut that back by 10 to 15 by
start>run>msconfig, go to startup tab and disable all for the duration.

The more stuff you can eliminate as being the problem the easier the fix
is going to be.