Dead Host Consuming most of the traffic

August 31, 2010 at 00:54:11
Specs: Windows Server 2003
Hello Friends,

My bandwidth is fully consumed by some of the IP's inside the LAN. But those IP's are not getting pinged, neither I can get the host name of those IP with "nbtstat -a [IP ADDRESS].

This is strange that dead host is consuming the bandwidth. Please guys advise me, what could be the reason and how can I solve this issue.

Thank you in advance.


See More: Dead Host Consuming most of the traffic

Report •

#1
August 31, 2010 at 07:19:27
If the client was "dead" it wouldn't be consuming anything would it.

Not replying to a ping could simply mean the client in question has a firewall on that is set to not reply to ICMP requests.

Unless this is a very large network, I'd do a quick walkaround and inspect each machine in your LAN. From the sounds of it, you've likely got someone doing a lot of downloading/uploading who's hogging the bandwidth.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
August 31, 2010 at 07:37:52
Yeah.. that's true.. if the host is dead.. it wouldn't consume the b/w.

Hmmm could be firewall is blocking ICMP request. But what about "nbtstat -a [ip address], does it also use ICMP or something else to get the netBIOS name??

While I am scanning with IPScanner, it's even showing dead.

I have a network of about 200 users and I have assigned static IP. I have the list of almost all the IP, I've assigned to the user and those IP's are not on that list as well.....

It's something strange and i m still digging my head on this.. :(


Report •

#3
August 31, 2010 at 08:04:24
dead as in not alive is not a term used to describe bandwidth utilization.

How are you dishing out ips? if static then you know which machine has which ip. If dynamic you would look at the dhcp server for the host name associated with that ip.

nbtstat is netbios transport stats. if you don't have netbios over tcp/ip checked there is nothing for the command to return.

Most important question is how are you determining all of your bandwidth is consumed?


Report •

Related Solutions

#4
August 31, 2010 at 08:06:40
Hmmm could be firewall is blocking ICMP request. But what about "nbtstat -a [ip address], does it also use ICMP or something else to get the netBIOS name??

To be honest, I'm not sure if the nbtstat command is ICMP based but I suspect you have a firewall blocking that too.

While I am scanning with IPScanner, it's even showing dead.

Port scanning is one of the many things firewalls were invented to block.

I have a network of about 200 users and I have assigned static IP. I have the list of almost all the IP, I've assigned to the user and those IP's are not on that list as well.....

If I'm reading this right, the offending IP is not a "legitimate" IP as assigned by you. NOTE: I see you said. "I have a list of almost all the IP". You need to keep a list of all IP's you've assigned. There's no excuse for not doing so. Once the list is complete it's a simple and quick matter to add a new computer to the list.

This tells me you have some smarty pants cracker jack who's brought a computer up that isn't one that should be running. If it were me, I'd get the big boss man in charge and I'd do a walkaround when all staff are gone. Popping open a command prompt window and typing ipconfig /all on all computers in the building, while tedious and slow, would eventually yield the offending computer(s).


I would make note and then the next day, quietly find out who's using that computer and I would fire them on the spot. The phrase is, "terminated with prejudice". Disable their domain account, remove all access cards/keys and escort them off the property.

In fact, I would take it one step further. Once I've discovered the computer that isn't supposed to be running on my network, I'd find out what's going on on that computer. From the sounds of it, you have someone running sharing software and trading in illegal files. If that's the case, I'd see that they get escorted out the front door and into the waiting hands of the police.

This is the exact reason businesses have an "Appropriate Use" policy that applies to the companies computers and network. If you don't have one you need to make one and have all employees read it and sign a sheet stating they have read, and understood it. If you do have one, the person in question may also be liable for a computer hacking charge as well as the trafficking in illegal files (be it software, movies, music, kiddie porn etc).

Whatever is going on, if it's what I think it is, you need to stomp on this hard and make a big example of the person involved and then make sure all employees know why the person got canned.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
September 1, 2010 at 03:35:22
Guys, First I am sorry for the wrong term "dead host" yeah.. it's not dead host .. right term would be hidden host...

@Wanderer: it's the static IP method, and I have collected all the IP's my best, since I am new to this place I feel like there might be some device missing so I am using the word "almost". And those IP are not on my assigned IP list.. :(

Well, to monitor the consumption of the bandwidth, I have setup cacti for the gateway which tells me the overall consumption of the bandwidth. And to see which IP is consuming how much b/w in real time, I am logging to my gateway firewall and monitoring what is the packet size each IP is consuming.

@Curt: I am 100% agree with you and I am really impressed the way you've replied... appreciated!!! and yeah.. there is no excuse of not having the proper list of assigned IP. Those IP's are consuming b/w on random time, They consume the b/w for certain time then they disappear. I can see my b/w flat at max. point last night while I was not there in the office so couldn't monitor whether it's by those IP's or not.

And regarding the punishment thing.. I wish I would have that empowerment.. :( It's "user driven IT" not "IT driven users"..

But still I'll try my best let's see.. if i get something .. i'll post the update...


Report •

#6
September 1, 2010 at 08:23:02
Have you checked your dns server for a host entry for this rouge ip address?

Do you have managed switches? They keep a viewable per port mac address table.

One of the tricks I do to find the rouge machine is bring up a pc with the same ip address. When the rouge comes online there is an ip conflict message containing the mac address. Find that mac address in the switch table and you have the port number the machine is connected to.

Another trick, when the machine is on, is to ping the subnet.255. So if you have 192.168.1.x it would be 192.168.1.255. Then do a arp -a which was populated by the ping. This will give you the mac address also.

You should also be able to set your router to deny that ip address internet access. Perhaps the scream of the users frustration will pin point their location :-)


Report •

#7
September 10, 2010 at 22:51:57
good post i didnt know you could ping the subnet, im not a tech just a home user with a serious hacker , problem for some time. im going to try this suggestion . i have found a rouge host thats not in my dhcp list. but i havent got a mac address.

Report •

Ask Question