Unexplained network traffic

[At0mic]

I’m looking after a network with 5 windows 2000 servers and about 60 workstations. We are connected to 5 much smaller sites through VPN. Our ADSL line is 256K/2000K up/down, which isn’t enough I know but we are going to upgrade it to SDSL 2000k/2000k up/down.

The problem is that sometimes the internet and VPN slows down to crawl. Sometimes it goes as high as 5000ms. Normally it’s around 40ms so there’s a problem somewhere, which I haven’t yet been able to determine.

I did get somewhere last week when I noticed the exchange sever had a lot of traffic running through it, which slowed the VPN and internet down. Upon nonchalantly unplugging exchange from the network during a quick off the cuff experiment, the speed shot up from 4000ms to a much happier 35ms. After studying the windows 2000 network monitor, I soon realized that the slowdown occurred each time the marketing department sent an email with a very large attachment out to the local press. The exchange server has two network cards so I plugged the second network card into a completely separate DLS line and configured exchange so that outward-bound SMTP mail would get sent through the other line, which fixed the problem.

Now however, the problem is back, and this time its got nothing to do with exchange. After process of elimination, I’ve determined that the traffic is coming from one or more workstations in the network. I’m thinking that somebody may be doing large unauthorized downloads for personal use or watching/listening to streaming media or maybe even p2p. Not only is it slow, but we frequently get packet loss. Even when I ping using a 30 second wait, it times out. But then after a while, everything goes back to normal and stays below 100ms.

At first, we thought that the problem might be down to replication between the servers through the VPN. That’s not the case because I manually set the times of replication through the VPN and our internet slows down regardless of replication taking place or not.

Can anybody advise me on what to do or recommend a piece of software that can look at network traffic? I’m going to try out some network monitors I found after a search on google but if anybody can recommend a software product that they’ve tried I would be very much grateful.

Edited October 12, 2005 by At0mic

[chilifrei64]

what routers do you have between the 2 branches.. can you look at the config on them...

I had a similar problem twice before.

First time it was a virus on a computer. We had one part time person that would come in, turn on the affected computer and the network would come to a halt.

Second time it ended up being a faulty WIC in my router. It was a cisco router and i just did a show int command and I saw that the router was dropping many many packets. As a temporary releif.. I lowered the MTU of the connection and this would atleast keep things working until the new WIC came in.

You say you have it narrowed down to the 2 computers.. what is on it.. what are they doing.?

[At0mic]

We're using Netpilot boxes for connectivity. They don’t offer much in the way of traffic analysis or anything.

When I said I narrowed it down, I just meant the computers as a whole as opposed to any of the servers. I haven’t got a clue which computer(s) are causing it.