Something has been happening on my company's network at 9:30 every day. I'm not the sysadmin but he's not a ServerFault guy so I'm not privy to every aspect of the network but I can ask questions if follow up is needed.
The symptoms are the following :
- Sluggish network and download speed (I don't notice it, but others do)
- 3Com phones start ringing without having people on the other end.
We've got the following ports exposed to the public for a web server, a few other ports for communicating with our clients for tech support and a VPN. We've got a Cisco ASA blocking everything else. We've got a smallish network (less than 50 computers/vms on at any time). An Active Directory server and a few VM servers. We host our own mail server too.
I'm thinking the problem is internal, but what's a good way to figure out where it's coming from?
Download Wireshark (http://www.wireshark.org/) and use it to watch the traffic across the network at the time. Look for new traffic and any large spikes in the volume of traffic.
While this tool provides a lot of information for people that are not familiar with networking it can still be used to see the volume of information pretty easily and some of the protocol descriptions might be able to point you or your admin in the right direction.
Also you should point your admin at this site. He will probably greatly appreciate the resource.
If you or the sysadmin have access to the router/firewall, that should provide some additional information. Wireshark as mentioned is very good as well(as noted by TrueDuality). The time suggests that a user is connecting and has some kind of malware or torrent clinet that is saturating the network. You might also check to see if someone is running Skype and the client is a supernode. Have seen large amounts of traffic from a single Skype client. The client must be terminated to assure no traffic.
If it is a smaller office, it should be easy to identify who logged on at the time in question. Have logging added that monitors sucessful logons on the DC