Home / server / Questions / 82558
Accepted
J.Zimmerman
Asked: 2009-11-08 12:13:27 +0800 CST

Determine What Process is Generating Network Traffic (Windows Server 2003)

  • 772

I've got a print server in our Windows 2003 domain with a lot of print queues on it. We are seeing a significant amount of SNMP scans coming from this server which we think are unnecessary. Everything related to the print server itself is functioning fine, but the network team would like the scans to stop.

We can see the scans as they happen on the switch. I have installed Wireshark and can see the scans happen as well. I can see programs that are listening for connections via things like CurrPorts.

This server has had several maintainers over the years. There are residual drivers and things that don't need to be there. Unfortunately I can't do anything too drastic to clean things up or clean install the server because it is our primary print server our network relies on. We have plans to replace it within the next year or two.

So my question is....

How can I pinpoint which program/process on the Windows 2003 server is generating the SNMP scans?

firewall

3 Answers

  1. netstat -b will show you all connections and which process generated that connection. Most likely, it is printer management software (home based or enterprise based) that is constantly trying to query the printers to keep a status of them, toner levels, etc.

    • 4
  2. Best Answer

    I'd strongly suspect that the Print Spooler service (spoolsv.exe) is doing this because it's probably configured to do so. W/o a deeper description of the traffic (subnet-wide probes, or queries directed at individual printer devices) it's difficult to say. My gut says that if you examine the "Configure Port" properties of any "Standard TCP/IP Port" entries in the "Ports" tab of the "Server Properties" of the "Prnters and Faxes" dialog you'll find out that "SNMP Status Enabled" is checked.

    Failing that, using "netstat -b" or "netstat -o" is the way to go, though with SNMP being what it is the sockets are probably going to close so quickly that you'll have trouble catching them.

    Edit:

    Here's that script.

    @echo off
rem Query for all Standard TCP/IP Ports (skipping the first returned value, which 
rem is the "/Ports" key

FOR /f "skip=1 usebackq delims=" %%i IN (`reg query "HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports" ^| find "HKEY_LOCAL_MACHINE"`) DO (

  rem For each port, disable SNMP
  REG ADD "%%i" /v "SNMP Enabled" /t REG_DWORD /d 0 /f >NUL 2>NUL
)
    • 4

  3. Microsoft Network Monitor 3.3 enables you to filter traffic by process/process id.

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

    You can also use TCPView:

    http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

    The print server may have HP JetAdmin or WebJetAdmin installed. This is not required for normal operation.

    http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01718860

    • 1