Excessive traffic at port 445

Discussion in 'ESET Smart Security' started by sirine, Apr 14, 2010.

Thread Status:
Not open for further replies.
  1. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    Greetings.

    network-traffic.jpg
    http://i448.photobucket.com/albums/qq207/hekyumi/ESET/1.jpg

    WinXP hosted as a print server, having few LAN PC connect to it for printing.

    Notice that there are too much traffic at the printer and file sharing ports.

    Port 135~139 can be block to minimize the traffic, but if I block the port 445, the printer sharing won't work.

    Already scanned the PC using ESET, SuperAntispyware, Kaspersky, Panda, Spy Bot SnD, etc.. with no virus found.

    Please help!!!!:'(
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    does the amount of traffic correlate to the amount of printing?
     
  3. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    no. The traffic goes up to 600MB~1GB per day...o_O
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    More the merrier ;)

    not sure what bothers you with the traffic though and why you want to block it. Could it be normal network chatter (might not matter but did you place your network in Trusted zone)?
     
  5. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    That will take up lot of bandwidth of my LAN....:( that's bad...
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, you can disable NetBIOS. Other than that, there will always be traffic on this port, this has nothing to do w/ ESS.
     
  7. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    Thanks doktornotor for the help...but the setting of disabling the NetBIOS ... seems no effects....the traffic at port 445 still remain.

    Help!!!!
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Help with what? Look, this has nothing to do with ESET products and the traffic is expected and normal on that port. You cannot stop the traffic without disabling file and printer sharing altogether.
     
  9. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    Sorry if offended you in anyway...

    Sorry again if you think that I'm asking too much for the ESET...

    Just by googling about "virus/spyware at port 445". There are tons of result .

    ESET is an antivirus and I somehow believe it is some virus/spyware that causing the excessive traffic at port 445,

    I have paid for ESET. So, I'm expecting ESET to solve this.

    doktornotor....if ESET products has nothing to do with this... may I ask your help on give me a direction....on where should I go for help?

    I will try to descrip the problem again:-
    1) Excessive traffice means....there are no printing activities, but the transmission on the port 445, will keep on sending/receiving with about 12k/s of data.
    2) Once disable the Network. The transmission stop. AND enable it back...the transmission start immediatly.
    3) Almost all the computer in the LAN sending/receiving data on EACH OTHER. (not Star-Type "many to 1" of sending, It is MESS "many to many" sending/receiving)

    some older post (Year 2004) showing the similar thing...https://www.wilderssecurity.com/showthread.php?t=41732
     
    Last edited: Apr 16, 2010
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yes, I have no printing activities and still have traffic on ports 137-139 and 445. It's normal. It's how Windows OS works. Port 445 is used by lot of services. No, it won't go away. No, it's not caused by ESS or any other ESET product. Yes, disabling a network obviously stops traffic, not even sure what should I say here. :rolleyes: No, I'm not offended. Now a suggestion - go read some documentation on Windows file/printer sharing, NetBIOS, browse lists and local/domain master browser election process and such, MS has an extensive library of docs.
     
  11. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    Thanks for the suggestion.

    I have log a file at the ESET customer service about the problem. (Now they are the one who should worries about this issues.)

    one last things doktornotor..

    Excessive means...too much...over limits... and (surely)....not normal.

    ESS is not CAUSING the problem. It should solve the problem.
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    To be very clear about this - by your experiments, you are actually making the "problem" worse. E.g., when you block this traffic, the other Windows boxes no longer see you box, thinking it's gone offline. A master browser re-election may be forced. When you re-enable it, again, a browser re-election will be forced, causing additional traffic, so your bandwidth will not really be spared in any way. Again, you disable and enable your network connection - same thing. The computer will immediately start to broadcast "hello guys, I'm back, notice me" traffic across your network. And yes, your observation is entirely correct - this involves all Windows boxes connected to that network, (UDP broadcast) - it will even cause traffic to be generated w/ any non-Windows Samba servers connected. Simply said - let things work as designed by MS. There is no problem to solve. Move on.
     
  13. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
  14. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    That thing is ages old. And to be again very clear - the amount of traffic w/ that one would completely saturate your network. It'd not be anything about kB/s, it'd be full network capacity gone. You are imagining issues here, and harming the functionality of Windows networking on your way. Really.
     
  15. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    1) Does transmitting Excessive data (~1Gigabytes perday) between computer is consider Normal?
    (with printing NOT over 100 pages of A4 size text base printout, and 100% NO files sending activities)

    Your answer is "Yes it is Normal".
    or your answer is "No it is Not normal".
     
  16. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    As I've already tried to explain multiple times, port 445 and related are NOT used for printing only and traffic there happens even if you don't transfer any files. Until you've done the suggested reading on MS site, there's absolutely no point in discussing this further. By reverting your broken changes and blocks on your firewall, the traffic would actually reduce, since things could settle down finally.

    P.S. And on another note, 100.0.0.0/6 address range is NOT intended for the purpose you are using it. You should use the RFC1918 ranges instead or you'll see a very unpleasant surprise one day with the shrinking available pool of IPv4 addresses.
     
  17. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    I think I have understand your point.

    Since there are only 1 print-server. You might think that, just because blocking all the other port at the print-server that, it will causing it to have excessive traffic (due to all other computer are trying to access to the print-server)...

    The true is... even I shut-down the print-server. All others computer still inter-communicate (sending data in an excessive way). And all of the computer are actually doing nothing...and their firewall is.... all disable. No blocking...free flow...and...well, it really flowing like crazy ...

    May I suggest that you accept "my speculation" about...there are really some virus/spyware/backdoor that are causing this?

    OR

    "My speculation" is totally un-acceptable?
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Once again; it's normal. Yes, the computers do communicate all the time. If you don't believe me you are free to contact MS support, pay couple hundreds of bucks per hour for paid support and they'll explain the same to you. They already provide documentation on their website which will tell you the same. Or just grab some utility, like CurrPorts, and watch what's communicating there, even without any printing.
     
  19. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    Yes, They do communicate all the time....totally agree with you. But not to the extend of 1GB perday.

    By the way if you do not understand how much data is 1GB it transmitted...it is about printing 10,000 copies of "different" full A4 page of photo printing.

    Thank you very much for your interest in this thread topic and you did provide your help, and I'm very much appreciated that.


    Now...if you are happy. Please ignore this thread topic. Move on to other thread.




    and for other thread reader. Please provide help if you know what happend. Thanks.
     
    Last edited: Apr 16, 2010
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Ok. Here's your way how to get rid of that traffic. There simply are users who can't be helped, since ignorance is a bliss. (And for your how much traffic is transmitted, 1GiB a day makes it 42MiB/hour which takes whopping 4 seconds to transfer on 100Mbit ethernet and much less on gigabit. Wow, huge problem indeed.
     

    Attached Files:

  21. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    I'm feeling being offences... Please leave this thread.
     
  22. sirine

    sirine Registered Member

    Joined:
    Apr 14, 2010
    Posts:
    12
    It seems that I have found out the problem.

    It is cause by the printing spooler process. That generated by the Canon Laser Printer LBP-3050.

    The solution will be to stop the print spooler which can be selected at (the host) LBP-3050 printer properties. (refer to attachment.) After the setting done.

    Remove the client printer. And add again the printer. Then everything seems fine.
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      36.6 KB
      Views:
      2,195
Thread Status:
Not open for further replies.