Network traffic constantly flows between various devices, applications, and services in today’s interconnected world. While most of this traffic is expected and necessary for the proper functioning of our networks, there may be instances where unknown or suspicious traffic raises concerns.
Identifying and understanding this unfamiliar network activity becomes crucial for maintaining network security, troubleshooting issues, and ensuring optimal performance.
Wireshark, a widely used network protocol analyzer, provides detailed insights into network packets, while Process Monitor monitors and captures system-level activities.
By combining the capabilities of these two tools, we can gain a comprehensive understanding of the traffic traversing our networks and detect any anomalies that require further investigation.
This guide is based on a real-life case study.
The Case Study
During packet capture using Wireshark on my PC, I noticed an intriguing pattern: numerous packets were being sent from the file server to a non-existent PC on the network.
This raised the question: Why is the file server with the IP address 10.x.x.6 sending NBNS queries (NetBIOS Name Service) to the host BOULWA-XP, requesting its IP address?
While Wireshark revealed the packets sent from the file server to the specific host, it couldn’t provide information about the program or service responsible for this traffic.
I employed Process Monitor from the SysInternals toolset to identify the program or service. After capturing the system’s activities for a brief period, I searched for the string “BOULWA-XP” in the results.
This search yielded the process name associated with the query: spoolsv.exe. I then applied a filter to display only traces related to spoolsv.exe.
I observed that spoolsv.exe accessed the “HKCU\Printers\Connections, BOULWA-XP, Microsoft XPS Document Writer” registry key within the filtered trace. This indicated that there was a connection to the printer “Microsoft XPS Document Writer” on the host BOULWA-XP.
This connection could be verified by navigating to the printers section in the control panel.
By removing this printer from the control panel, the network traffic related to it ceased to appear on the network. This action effectively resolved the issue.
Network traffic analysis plays a vital role in ensuring network security and performance. Tools such as Wireshark and Process Monitor provide valuable insights into unknown or suspicious network activity. By combining their functionalities, network administrators can identify and analyze such traffic effectively, leading to prompt troubleshooting and resolution.
This article explored a real-life case study where Wireshark and Process Monitor were employed to identify and address unknown network traffic originating from a file server. This example demonstrates the power of these tools in pinpointing the source of network anomalies and resolving them effectively.
By staying vigilant and leveraging the capabilities of network traffic analysis tools, organizations can proactively protect their networks, maintain optimal performance, and ensure a secure network environment.