Using PE to Investigate Server Data Traffic

hi -

new user to PE. I have a few questions about using PE.

I'm using PE to help investigate high levels of data traffic usage on our Windows2003 server. We seem to be 'uploading' a lot more data than we are 'downloading' and volume of 'uploads' appears much greater than we would expect from volume of e-mail traffic to server. PE columns for 'sent' and 'received' each show '---' on display. Is this normal? I see elsewhere in forum that Netstat ports don't show 'sent' and 'received' data volumes. Is it possible to track data transfer usage on Netstat ports?

Will PE (and PE datalogging) run as a windows 'service' in the background? We are administering server remotely and would like PE to log server activity without being 'logged in' / connected to server?

any ideas about how we might use PE to go about identifying reason for high amount of upload traffic would be appreciated.

thanks Martin...

 

Hi,

Sounds like a hacked server for XDCC compromise. Look for connections to IRC servers, which would be on remote port 6666-6669, 7000, but possibly other ports.

Please click File > Save table and send your saved log to support, we'll take a look. You should also include a HIJACKTHIS log or log from our ASVIEWER program showing the services/drivers. A rootkit revealer scan would be very important, I would try a couple of the free scanners available.. Rootkit Revealer, F-Secure BlackLight, UnHackMe.

Netstat sockets most likely have a corresponding "true" socket which has been resolved through LSP or one of the other methods used. These can be tracked.

As for running as a service this is not possible now but a good suggestion, thanks! Something for us to consider for future versions.