Huge increase in outgoing traffic - how to figure out why?

Discussion in 'Windows Small Business Server' started by Mike Webb, Oct 31, 2006.

  1. Mike Webb

    Mike Webb Guest

    Running SBS 2003 Premium, Exchange, ISA 2004, WSUS, 2 NIC's and a router,
    dynamic IP, DDNS service from dyndns.org. I also run Symantec Corporate
    Antivirus ver 9, and Windows Defender on the server and workstations.
    ==============================
    Ran a check of our in/outbound traffic using a web app from the ISP and saw
    a big spike in our outbound traffic a week ago. Big enough where we are
    very close to the ISP's threshold for "Fair Access". (3 GB per rolling 30
    day period). Tracked it down using ISA's reporting feature, to our
    Executive Director. He's been uploading large files to associates. OK.

    Ran another check this morning and saw were are still spiked, should have
    seen a downward trend yesterday. Ran a report in ISA and saw that MY
    computer had the highest outbound traffic in the last 2 days - 185 MB
    outbound.

    I'm flabbergasted (but then I am still inexperienced in this arena.) I
    could swear I uploaded no more than 10 MB or so yesterday (via Outlook). Is
    there a way to use ISA's reporting features to find out some specifics on
    WHAT was uploaded and WHEN? I ahve a hunch now that we may ahve been
    high-jacked, but need to start at the beginning so I know how to proceed.

    Many thanks in advance!!
     
    Mike Webb, Oct 31, 2006
    #1
    1. Advertisements

  2. Hello Mike,

    Thank you for posting here.

    According to your description, I understand that you want to analyze the
    specific traffic from one of your internal computers via ISA server. If I
    have misunderstood the problem, please don't hesitate to let me know.

    ISA 2004 can give out Top Users by total traffic load, but ISA 2004
    reporting function can't analyze the traffic coming from individual user.

    As I know, ISA Server 2004 Query can give you some help. It gathers
    real-time traffic via ISA and logs them. You may get the info your want in
    the query.

    To edit and run ISA Server 2004 log queries, follow these steps:
    1. Click Start, point to All Programs, point to Microsoft ISA Server, and
    then click ISA Server Management.
    2. In the Microsoft Internet Security and Acceleration Server 2004 console,
    expand YourServerName , and then click Monitoring.
    3. In the center pane, click the Logging tab, right-click Log Record Type,
    and then click Edit Filter.
    Note By default, ISA Server 2004 includes the following two filter queries.
    However, you can customize the criteria of both queries to create
    additional filter queries.
    Log Record Type
    Log Time
    4. In the Edit Filter dialog box, click the Log Record Type entry, and then
    click the criteria that you want to filter by in each drop-down list.
    5. Click the Log Time entry, and then click the criteria that you want to
    filter by in each drop-down list.
    6. Click Update, and then click Start Query.

    In the center pane you will see Fetching Results appear while the query
    runs. After the query has started, results are displayed in the center
    pane. The results contain information about the most common network
    features and about the results from the filter criteria that you have set.
    You can use this information to analyze the traffic from your computer via
    ISA server.

    In addition, some third party applications can analyze traffic on user
    basis.? For example, you can find an application GFI WebMonitor for ISA
    Server from the following web page:
    http://www.isaserver.org/software/ISA/Monitoring-&-Admin/
    ==========================
    This response contains a reference to a third party World Wide Web site.?
    Microsoft can make no representation concerning the content of these
    sites.? Microsoft is providing this information only as a convenience to
    you:? this is to inform you that Microsoft has not tested any software or
    information found on these sites and therefore cannot make any
    representations regarding the quality, safety, or suitability of any
    software or information found there.? There are inherent dangers in the use
    of any software found on the Internet, and Microsoft cautions you to make
    sure that you completely understand the risk before retrieving any software
    on the Internet.
    ==========================

    Meanwhile, you mentioned that one of your particular workstation sends out
    large amount of traffic thru the ISA Server. I suspect this particular
    workstation may be infected by virus which leads to huge packets being
    spreading out. Do you have anti-virus software installed on the
    workstations? Please perform full virus scan on the internal computers. If
    you do not have anti-virus application installed, you may try:
    http://housecall.trendmicro.com/

    Hope this helps. Please let me know the results so that I can provide
    further assistance on this problem. I am looking forward to your reply.
    Thanks and have a nice day!

    Best regards,

    Terence Liu(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Mike Webb" <>
    | Subject: Huge increase in outgoing traffic - how to figure out why?
    | Date: Tue, 31 Oct 2006 09:57:55 -0600
    | Lines: 28
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
    | Message-ID: <efbhZVQ$>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: 70-41-130-208.cust.wildblue.net 70.41.130.208
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:309323
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Running SBS 2003 Premium, Exchange, ISA 2004, WSUS, 2 NIC's and a router,
    | dynamic IP, DDNS service from dyndns.org. I also run Symantec Corporate
    | Antivirus ver 9, and Windows Defender on the server and workstations.
    | ==============================
    | Ran a check of our in/outbound traffic using a web app from the ISP and
    saw
    | a big spike in our outbound traffic a week ago. Big enough where we are
    | very close to the ISP's threshold for "Fair Access". (3 GB per rolling 30
    | day period). Tracked it down using ISA's reporting feature, to our
    | Executive Director. He's been uploading large files to associates. OK.
    |
    | Ran another check this morning and saw were are still spiked, should have
    | seen a downward trend yesterday. Ran a report in ISA and saw that MY
    | computer had the highest outbound traffic in the last 2 days - 185 MB
    | outbound.
    |
    | I'm flabbergasted (but then I am still inexperienced in this arena.) I
    | could swear I uploaded no more than 10 MB or so yesterday (via Outlook).
    Is
    | there a way to use ISA's reporting features to find out some specifics on
    | WHAT was uploaded and WHEN? I ahve a hunch now that we may ahve been
    | high-jacked, but need to start at the beginning so I know how to proceed.
    |
    | Many thanks in advance!!
    | --
    | Mike Webb
    | Platte River Whooping Crane Maintenance Trust, Inc.
    | a 501 (c)(3) conservation non-profit organization
    |
    |
    |
     
    Terence Liu [MSFT], Nov 1, 2006
    #2
    1. Advertisements

  3. Mike Webb

    Mike Webb Guest

    Thanks, I'l;l give this a try.

     
    Mike Webb, Nov 1, 2006
    #3
  4. Hello Customer,

    Thanks for your kind update.

    I'm waiting for your feedback. If you have any additional information or
    need further assistance, feel free to let me know at your earliest
    convenience.

    I appreciate your time, and I look forward to hearing from you.

    Best regards,

    Terence Liu(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "Mike Webb" <>
    | References: <efbhZVQ$>
    <2bOI5UY$>
    | Subject: Re: Huge increase in outgoing traffic - how to figure out why?
    | Date: Wed, 1 Nov 2006 08:20:54 -0600
    | Lines: 171
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
    | X-RFC2646: Format=Flowed; Original
    | Message-ID: <u7GzzDc$>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: 70-41-130-208.cust.wildblue.net 70.41.130.208
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:309505
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Thanks, I'l;l give this a try.
    |
    | | > Hello Mike,
    | >
    | > Thank you for posting here.
    | >
    | > According to your description, I understand that you want to analyze the
    | > specific traffic from one of your internal computers via ISA server. If
    I
    | > have misunderstood the problem, please don't hesitate to let me know.
    | >
    | > ISA 2004 can give out Top Users by total traffic load, but ISA 2004
    | > reporting function can't analyze the traffic coming from individual
    user.
    | >
    | > As I know, ISA Server 2004 Query can give you some help. It gathers
    | > real-time traffic via ISA and logs them. You may get the info your want
    in
    | > the query.
    | >
    | > To edit and run ISA Server 2004 log queries, follow these steps:
    | > 1. Click Start, point to All Programs, point to Microsoft ISA Server,
    and
    | > then click ISA Server Management.
    | > 2. In the Microsoft Internet Security and Acceleration Server 2004
    | > console,
    | > expand YourServerName , and then click Monitoring.
    | > 3. In the center pane, click the Logging tab, right-click Log Record
    Type,
    | > and then click Edit Filter.
    | > Note By default, ISA Server 2004 includes the following two filter
    | > queries.
    | > However, you can customize the criteria of both queries to create
    | > additional filter queries.
    | > Log Record Type
    | > Log Time
    | > 4. In the Edit Filter dialog box, click the Log Record Type entry, and
    | > then
    | > click the criteria that you want to filter by in each drop-down list.
    | > 5. Click the Log Time entry, and then click the criteria that you want
    to
    | > filter by in each drop-down list.
    | > 6. Click Update, and then click Start Query.
    | >
    | > In the center pane you will see Fetching Results appear while the query
    | > runs. After the query has started, results are displayed in the center
    | > pane. The results contain information about the most common network
    | > features and about the results from the filter criteria that you have
    set.
    | > You can use this information to analyze the traffic from your computer
    via
    | > ISA server.
    | >
    | > In addition, some third party applications can analyze traffic on user
    | > basis.? For example, you can find an application GFI WebMonitor for ISA
    | > Server from the following web page:
    | > http://www.isaserver.org/software/ISA/Monitoring-&-Admin/
    | > ==========================
    | > This response contains a reference to a third party World Wide Web
    site.?
    | > Microsoft can make no representation concerning the content of these
    | > sites.? Microsoft is providing this information only as a convenience to
    | > you:? this is to inform you that Microsoft has not tested any software
    or
    | > information found on these sites and therefore cannot make any
    | > representations regarding the quality, safety, or suitability of any
    | > software or information found there.? There are inherent dangers in the
    | > use
    | > of any software found on the Internet, and Microsoft cautions you to
    make
    | > sure that you completely understand the risk before retrieving any
    | > software
    | > on the Internet.
    | > ==========================
    | >
    | > Meanwhile, you mentioned that one of your particular workstation sends
    out
    | > large amount of traffic thru the ISA Server. I suspect this particular
    | > workstation may be infected by virus which leads to huge packets being
    | > spreading out. Do you have anti-virus software installed on the
    | > workstations? Please perform full virus scan on the internal computers.
    If
    | > you do not have anti-virus application installed, you may try:
    | > http://housecall.trendmicro.com/
    | >
    | > Hope this helps. Please let me know the results so that I can provide
    | > further assistance on this problem. I am looking forward to your reply.
    | > Thanks and have a nice day!
    | >
    | > Best regards,
    | >
    | > Terence Liu(MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    | > the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    | > doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    | > rights.
    | >
    | > --------------------
    | > | From: "Mike Webb" <>
    | > | Subject: Huge increase in outgoing traffic - how to figure out why?
    | > | Date: Tue, 31 Oct 2006 09:57:55 -0600
    | > | Lines: 28
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
    | > | X-RFC2646: Format=Flowed; Original
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
    | > | Message-ID: <efbhZVQ$>
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | NNTP-Posting-Host: 70-41-130-208.cust.wildblue.net 70.41.130.208
    | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
    | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:309323
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | Running SBS 2003 Premium, Exchange, ISA 2004, WSUS, 2 NIC's and a
    | > router,
    | > | dynamic IP, DDNS service from dyndns.org. I also run Symantec
    Corporate
    | > | Antivirus ver 9, and Windows Defender on the server and workstations.
    | > | ==============================
    | > | Ran a check of our in/outbound traffic using a web app from the ISP
    and
    | > saw
    | > | a big spike in our outbound traffic a week ago. Big enough where we
    are
    | > | very close to the ISP's threshold for "Fair Access". (3 GB per
    rolling
    | > 30
    | > | day period). Tracked it down using ISA's reporting feature, to our
    | > | Executive Director. He's been uploading large files to associates.
    OK.
    | > |
    | > | Ran another check this morning and saw were are still spiked, should
    | > have
    | > | seen a downward trend yesterday. Ran a report in ISA and saw that MY
    | > | computer had the highest outbound traffic in the last 2 days - 185 MB
    | > | outbound.
    | > |
    | > | I'm flabbergasted (but then I am still inexperienced in this arena.)
    I
    | > | could swear I uploaded no more than 10 MB or so yesterday (via
    Outlook).
    | > Is
    | > | there a way to use ISA's reporting features to find out some
    specifics
    | > on
    | > | WHAT was uploaded and WHEN? I ahve a hunch now that we may ahve been
    | > | high-jacked, but need to start at the beginning so I know how to
    | > proceed.
    | > |
    | > | Many thanks in advance!!
    | > | --
    | > | Mike Webb
    | > | Platte River Whooping Crane Maintenance Trust, Inc.
    | > | a 501 (c)(3) conservation non-profit organization
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Terence Liu [MSFT], Nov 2, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.