large traffic through nbdgram

I checked Activity/Connection and realized that “system”, when computer is in idle state, constantly exchanges data with broad range of IP (local, thanks heaven) addresses. I disabled this (by clicking close) and checked log. There it showed that nbdgram (port 138) wants to get frequent access to local network. I presume that nbdgram falls under “system” and is the program responsible for data transfer.

Transfer is in megabytes though… Is this normal? (I presume that e.g. 19.99 M would stand for close value to 20 Megabytes: I am not sure how to interpret the “.” symbol since it could also mean 1999 Megabytes???).

Zoran

IT means 20 MB. This type of traffic is normal for a smal/medium size LAN. But you can show us the logs to have a better idea. All broadcasts, DNS queries, DHCP etc. take traffic.

Egemen

Thanks! Things start worrying me a little. For example under “Activity/Connections” there are two lines:

Application=System
Remote=129.16.40.24-216.126.201.152
Port=137 (UDP In/Out)
Trafic= This changes roughly by 1M per second. Is this normal?

Does this mean that “System” is communicating with all computers in the range 129.16.40.24-216.126.201.152? That’s scary… since address 216.126.201.152 is far beyond my domain.

I am sorry for providing for log in such a form, I do not know how to do it otherwise since “System” stuff seems to never get checked by any of the rules. Only if I click “Close” button, I start seeing in the Log tab that computer is making a lot of requests to connect by using nbdgram.

Zoran

This IP address (216.126.201.152) belongs to our forums. It is not common for System to generate such sort of traffic. Wjat sort of applications do you have installed? Some VPN client or packet encryptor perhabs? Can you tell us about your network configuration?

Egemen

now it addedd 64.233.138.99 (some address in USA) and is exchanging data like mad…

could it be automatic windows update configuration?

I will dissable it and see how system behaves…

Zoran

IT is important for us to know what is your network configuration. Any VPN clients, network drivers, network clients?

If System process is connecting NON-local ip addresses, this means a driver is connecting to the internet.

An example driver would be a VPN client, IPSec, etc. So we need to know the network configuration you are using to understand what is going on.

Egemen

It seems to me that your AV’s email scanner or web scanner manages its tasks at the kernel level.

Egemen

I have done more detailed analysis; disabled automatic windows updates, and let to computer be, and just monitored it for 45 minutes. Trafic starts at rate of ca 0.3Mbyte/sec and slowly climbs to ca 2MByte/sec, it stays rougly at that rate. In this period three sites are contacted two local servers and comodo site (195.92.253.139).

Funny thing is that I used Port Explorer to try to see if some hidden application is making this connection, but Port Explorer is silent, it just says “LISTENING” on ports 137 and 138 where this stuff happens. Though, comodo is reporting a lot of trafic…

Network configuration: I’d like to tell you about this if you tell me how to provide this information :). Of all networking beginners, I am the king of all beginners… :cry:

It’s probably somethig local… I will check with people here.

Zoran

How do you connect to the Internet? ADSL, cable, other broadband?
Most importantly, what are other security software that you have installed? Try sending/receiving email and watch the traffic? Does system process generate traffic?

Egemen

High capacity cable. LAN, 100Mbs. That counts as broadband I suppose. Security sofware I have installed (apart from Comodo):

E Trust Personal (antyspyware)
Symantec (anty virus)
SpyBoot SD (antyspyware, today)

I think that reading mail only generates trafic through Outlook. That seems to be fine… Also, security software networking gets handled through respective applications, I do not think it runs under kernel, but how would I know since I am not the expert.

I killed “System” by cliking “Close” in Activity tab, and now this wilde traffic stoped. Though I get enormous amount of “blocks” from application monitor in log, meaning I stoped it by brute force (log appended bellow).

Zoran

START OF LOG

Date/Time :2006-06-30 20:38:57
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.110.210:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.110.210:nbdgram(138)

Date/Time :2006-06-30 20:38:55
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.137.66:nbname(137))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.137.66:nbname(137)

Date/Time :2006-06-30 20:38:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.138.243:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.138.243:nbdgram(138)

Date/Time :2006-06-30 20:38:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.42.153:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.42.153:nbdgram(138)

Date/Time :2006-06-30 20:38:46
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.138.124:nbdgram(138))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.138.124:nbdgram(138)

Date/Time :2006-06-30 20:38:45
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (System:129.16.137.140:nbname(137))
Application: System
Parent: System
Protocol: UDP In
Remote: 129.16.137.140:nbname(137)

END OF LOG

Zoran

I just realized I haven’t mentioned the most important things:

Computer is part of university network. Printing is handled through special gateway. I am not sure about file sharing though there is central file server. I do not think we have file sharing (for security reasons, though I am not 100% sure what is meant by this in this context: e.g., I know for sure that nobody but has access to files on my computer). There is only central file server (files put there I backed up automatically).

It seems that computer communicates with range of machines: not only file server where we have home directory, and printer gateway, but there seem to be many more. Comodo does not tell explicitly which machines (it just shows range in “Activity Tab/Connections”) but once I killed “System” process (“Activity Tab/Connections” + “Close”) then application monitor rejected numerous packets (which I presume were solicitated packets from the time when “System” was running, the other computers did not know that I killed “System” application so they continued sending packets).

If I am not daydreaming here (i.e. if my interpretation of origing of packets is correct) then the list of machines in the log rejected by application monitor are machines that I am exchanging 2Mbytes/sec.

The more I think about this the more puzzled I get… In the best case it is normal behaviour for network with many computers, in the worse case I am infected with something that continuously tries to spread to other computers…

Zoran

okay, I just figured out (by reading other post on the forum) how to include pictures. So this is what I have (shown in attachment, do not know how to include it in the text).

System, ports 137, 138.

Zoran

[attachment deleted by admin]

If you check the IPs you’ll see these are on the same subnet as your outlook server, so I presume these are local addresses on your LAN. It’s local traffic, but what it is is anybody’s guess.

Ewen :slight_smile:

Right, it’s local. Thanks for looking into this.

Zoran