Home / server / Questions / 636837
In Process
Digital Lightcraft
Asked: 2014-10-15 01:22:53 +0800 CST

Diagnosing heavy bandwidth usage

  • 772

I run a couple of IIS web servers, one on win server 2008 R2, the other on 2003. Both fully patched and up to date, with AV. Running on a No NAT connection with 8 WAN IP's

The 2003 machine seems to be using a LOT of bandwidth (ITRO 1-2GB per day) UPSTREAM all of a sudden. which is silly as it is hosting just 3 VERY low bandwidth sites (say 100 page requests a day, max)

Looking in Resource monitor, I saw what seemed like an almost constant connection to an unknown IP address (external), so I blocked it in the windows firewall. 2 hours later I see another, un-related IP drawing a lot of bandwidth... (not even vaguely similar)

How can I track down exactly which process is "feeding" this connection? it referred to a generic svchost, running about 6 processes (not IIS though), but thats as far as I can narrow it down.

Edited - Aditional: I have just restarted the server, and now notice a saw-tooth pattern in CPU & Network usage, corresponding with Winlogon and csrss....

windows-server-2003

1 Answers

  1. First of all, netstat -ano will show you which ports/IP addresses your computer is connecting to, along with the process ID (PID) of the process which is doing it, eg: 

      TCP    10.16.69.103:49316    192.0.2.18:443      ESTABLISHED     6396  
  TCP    10.16.69.103:49318    192.0.2.18:443      ESTABLISHED     6396  
  TCP    10.16.69.103:49363    192.0.2.18:443      ESTABLISHED     6396  
  TCP    10.16.69.103:49398    192.0.2.18:443      ESTABLISHED     6396  
  TCP    10.16.69.103:49402    192.0.2.18:443      ESTABLISHED     6396

    The last column is the PID (6396).
    You can run tasklist /svc to find out which services are being run by which process, eg: 

    svchost.exe                    828 Dhcp, Dnscache  
svchost.exe                    864 Alerter, LmHosts, W32Time  
svchost.exe                    880 AeLookupSvc, AudioSrv, BITS, Browser,  
                               CryptSvc, dmserver, EventSystem, helpsvc,  
                               lanmanserver, lanmanworkstation, Netman,  
                               Nla, RasMan, Schedule, seclogon, SENS,  
                               ShellHWDetection, TrkWks, winmgmt,  
                               wuauserv, WZCSVC  
OUTLOOK.EXE                    6396 N/A

    So, here we can see that the process opening connections to 192.0.2.18 is OUTLOOK.EXE.
    If it had been an svchost.exe process, the services it is running would appear next to the PID. For example - we can see that svchost with PID 828 is running the DHCP Client (dhcp) and DNS Client (Dnscache) services.
    If your svchost.exe process is not running a service, and is not running as a system account (eg NetworkService or LocalService), it is likely to be malware. Use Process Explorer to identify where this file is located on the disk.
    If the problematic svchost instance is running several services, and you need to isolate which one is causing the problem, you can separate out the services to use their own individual svchost process. So, if your problematic svchost process was running Dhcp and Dnscache, you would run sc config dhcp type=own and sc config dnscache type=own, and then reboot and see which one was causing the traffic.
    I'm just using Dhcp and Dnscache as examples, here.
    If the instance of svchost which gives you the problem is moving around a lot, you might like to check the AppInit_DLLS registry key, in case a malicious DLL is being loaded by the process that way.

    • 2