Bandwidth keeps running after site shutdown

Discussion in 'Windows 7 Help and Support' started by julio99, Mar 11, 2013.

  1. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    I watch videos on a site and when I finish watching the bandwidth in DU Meter keeps running at 400-500 KB's/s. It would appear that it's like the videos are still running but they are not because the site and anything to do with it is shutdown. Not even a browser is running. Task manager tells me nothing. I have used TCP View and Process Explorer from Sysinternals, but I am not quite sure how to tell which process is using bandwidth. One of them schvost process will say established but how do you tell what exact process is using the bandwidth.
    I was just looking at Resource Monitor right now in Windows 7 and it would appear to have a send and receive column to let me know which processes are eating bandwidth. Am I right about this or is it misleading or do you have a better way.
    I have checked for Malware too and that is not happening other than some Tracking Cookies that are no longer here. I run Bitdefender Total Security and I just ran Emsisoft Emergency Scanner off of a thumb drive which I believe is every bit as good as Malwarebytes that doesn't have a portable.
    Please let me know if you have a better or different way of checking this.
     
  2. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    I haven't really watched my bandwidth after watching some video, but traffic might continue until the housekeeping has completed, or even perhaps to something on your local network.

    As you mention, Resource Monitor-Network tab-TCP connections, is a good place to see the network traffic. That along with the other information panes should give you a good idea of what is moving the data. You might want to right click the top of the columns and use the Select Columns option to add additions information. If you put a check in the box for a specific item, the info will be only about that process.

    Tcpview has much of the same info.

    But once you see the PID for whatever is using the bandwidth, you should then be able to use Process Explorer to see what is running in that process. But sometimes they are just general system processes.
     
  3. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    Thanks SG. Just as I expected. I just wonder why it runs for so long sometimes at such a high rate when all apps and sites are closed. Had to reboot to stop it from counting once as it just seemed to keep going.
     
  4. MtheK

    MtheK New Member

    Joined:
    Mar 12, 2013
    Messages:
    44
    Likes Received:
    0
    I find Network Monitor (ie: NETMON) from SysInternals an excellent tool to use to see what traffic is flowing;
    you can get an enormous amount of detail in 'View/frame details', or use 'frame summary' for a quick overview,
    which sounds like what u need to identify the traffic source. Then PROCMON and/or PROCEXP can be used to
    get info on the process/thread.
     
  5. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    Thanks for the response. Well I downloaded Net Mon and yes what an amount of traffic to view. It is a bit overwhelming for me, but I will try and persevere. I am sending you a couple of attachments to look at because there are things I don't understand about the traffic on it. The second one has all these wi-fi frames on them as you can see. Now I live in an apartment building and I was running a wireless setup, but I took it down yet I still see the wi-fi listed as network traffic with my neighbors call names for their home networks. I don't have a router plugged in so how can this be monitoring wi-fi? Am I in any danger by leaving this wi-fi network on my machine? As I said there is no router plugged in. I want to make sure that the old network can't be accessed but I wouldn't mind keeping it for my little lapptop if I want to use it in my bedroom to do some updating. I'm still not sure I can breeze through Network Monitor as a program. It looks Chinese to me at times if you know what I mean. It even shows you code.
    Once I understand it a little better I might be able to use it better. For now those wi-fi frames are bothering me. Can someone actually hack me if I don't have a router? Stupid question but if I don't ask I won't know.
     
  6. MtheK

    MtheK New Member

    Joined:
    Mar 12, 2013
    Messages:
    44
    Likes Received:
    0
    Sometimes, to just get an overview, I just use the Display filter/DNS Protocol & APPLY,
    assuming a DNS request is sent, which usually is necessary to surf the 'Net. However, the
    summary & detail frames are the best when trying to decide where things came from.
    I also get Ethernet (pink to me) traffic on my router, so perhaps your computer is just
    trying to see if any exists. Even w/my router off, I think I still get Ethernet traffic.

    The DEST and SOURCE fields indicate WHO TO and WHO FROM. The DESCRIPTION
    columns summarize the request nicely. In 'frame details', typically, I only
    use the TCP and HTML info. The WiFi, Ethernet, etc are more for hardware issues,
    but can be important to diagnose lost frames.

    I like the color option, which can, in a way, quickly filter your data
    for only what you want to see (via scroll), yet still show all entries in case
    there is something around it. Here's what I've done to customize it:

    To run:
    start Netmon
    select NDISWAN(dial-up) or WIFI ONLY; de-select all else
    for WIFI, Capture filter/WiFi/Remove WiFi noise (BROADCASTs) & APPLY

    ##### try this to see if many WIFI entries go away #####

    start capture on modem or WiFi
    run any program, such as e-mail, to generate traffic

    To tailor:
    select/save columns
    frame#
    conv ID
    time & date
    frame length
    process name
    HTTP summary
    process ID (to match w/NetConv window for Expert)
    protocol name
    network direction (1=snd,2=rcv)
    TCP state
    TCP Checksum status
    TCP Lost Segment
    source
    destination
    TCP description
    description
    select/load color rules (filters)
    TCPrexmt = red Property.TCPRetransmit == 1
    TCPrset = brown TCP.Flags.Reset == 1 || TCP.Flags.Syn == 1
    HTTPerr = icky green Property.HttpStatusCode.StringToNumber >= 400
    DNS = orange DNS
    NbtNs = pink (NetBIOS DNS) NbtNs
    auth = lime green KerberosV5
    OR KerberosV5_Struct
    OR NLMP
    OR NLMP_Struct
    OR GssAPI
    OR SpnegoNegotiationToken
    OR GssapiKrb5
    HTTPS = green TLS
    HTTP = blue HTTP
    CCP = purple CCP
    RTP = maroon RTP
    continue = dark grey not TCP.TcpContinuationData == 0

    tools/options/parser profiles/set to Windows from Default
     
  7. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    Right when I was about to write you back about color I noticed in the second half of the message that you mentioned it. Because I had no colored columns or lines and I see now that you have to make your own. Kind of unlike them. Their other programs from Sys, already have the colors built in.
    I need to straighten something out here with you. My laptop is running on ethernet. I took down the router which I was trying to explain to you in the last post and decided to run my laptop wired. My 18.4" Acer. I don't move it so I use it as a desktop and chose to use wired connection for safety purposes. I still have the router and a little 15.6" Acer laptop for going places or just using in a different room.
    I think I will try and color code like you have. It sounds good the way you set the traffic colors. I'll have to use this a bit before I fully understand it. I like manuals and tutorials if their written in a semi laymen language instead of geek speak. You know what I mean right?
    How do you start a capture if you don't mind? I just click new capture, choose my adapter as I am only using the ethernet. I a MN3.PNG MN4.PNG m sending you the screen of this new capture here. The description column is still foggy and understanding the sources and destination addresses is a little hard. The proccess names I get, but what happens when it doesn't have one and all you have is an IP? I guess you can always look it up. Do you know what other traffic is? Mine comes as a full box DHCP:Reply, MSG. Type. Not sure what that is, but isn't DHCP have something to do with wireless?
     
    #7 julio99, Mar 15, 2013
    Last edited: Mar 15, 2013
  8. MtheK

    MtheK New Member

    Joined:
    Mar 12, 2013
    Messages:
    44
    Likes Received:
    0
    Yea, my PROCMON hilites UDP/TCP traffic in YELLOW.

    My 2 computers are wired thru a Netgear router. My WiFi is just a cell per se, but interferes
    w/my router and so, to surf the 'Net, I must first DISABLE my router; else, all DNS requests
    go to the router, which no longer has Internet access, and so hang.

    It sounds like u r capturing OK. Here's what I do from the beginning:
    1. click my Shortcut on my Start button
    2. in 'Select Networks', click the 1 or more u want
    3. click the 'New Capture' button (Top Left)
    4. my sub-windows are set via the View button in the menu:
    a. Network Conversations, vertical, left
    b. Display Filter and Frame Summary center&right
    1. Display Filter (optional)
    click 'Load filter', r-click Standard Filters/DNS/click Protocol Filter - DNS
    click APPLY
    2. Frame Summary
    click Autoscroll
    5. click 'Capture Settings'
    a. click 'Load filter', r-click Standard Filters/Wifi/Remove WiFi Noise
    b. click APPLY
    c. click CLOSE
    6. click 'Start Capture' button
    7. if traffic is flowing, you'll see it immediately.
    8. When done, I just X out of the window and usually do NOT save it.

    My DEST and SOURCE can translate the IP to a name when it can. I have indeed
    done NSLOOKUP, PING, TRACERT, etc when it can't do so.

    U can always use PROCMON, filtering out the PIDs u don't want to see (I have
    about a dozen or so I exclude, along w/other compares). If from PID4 (System),
    it is indeed hard to associate that to a specifc program; taking a dump of any process
    and using WinDbg to see addresses sometimes helps.

    I believe DHCP is for DNS requests, which WiFi is a subset:
    1. open Network & Sharing center
    a. click 'change adapter settings'
    b. r-click WiFi/properties
    c. click IPV4/properties
    d. in General, click 'Advanced'
    e. in IP Addresses, IP settings, it shoud say:
    DHCP Enabled
    which, usually, for Internet, sets IP addresses dynamically.
     
  9. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    Wow, you are right behind this. I was with you on your process until you got to the filter. What filter would I be loading and what is the purpose of said filter? I've seen that, I just didn't want to bite off more than I could chew. If I take this in small steps I'll have an easier time of it.
    Yes I have DHCP enabled where you told me to check. Right now I am using OpenDNS for my DNS servers. You've heard of them right. Supposed to help make your machine or browsing experience faster and safer. I don't know about faster but I like the way yyou can filter a lot of bad sites. I tried using the Hosts file but it doesn't work for all browsers. The OpenDNS filters work everywhere.
    By the way before I forget. You mentioned some command line commands? NSLOOKUP, PING, and TRACERT. I have one that I just learned today that gives you all you running connections;NETSTAT -ANO. I tried and liked it. It's what great about these forums. it's a wealth of information. I will be bookmarking this page for reference.
    You see the words "Payload en" in a lot of the lines. Any significant meaning to that?
     
    #9 julio99, Mar 16, 2013
    Last edited: Mar 16, 2013
  10. MtheK

    MtheK New Member

    Joined:
    Mar 12, 2013
    Messages:
    44
    Likes Received:
    0
    Filters are cool to throw away or block records (ie: traffic). With the Capture filter, u can throw
    away the WiFi BROADCASTs which, if not diagnosing a problem w/the computer recognizing it,
    it's best to just not save them; however, they are gone for good. But, with the Display filter,
    they are there but you just don't see them. So, w/the DNS filter, since most HTTP requests are
    by name instead of IPaddr, for a quick summary, I can see, let's say, the start of a session.
    If I want to see detail, I would just remove the Display filter.

    NETSTAT has a lot of good options. U probably have more traffic than me as I don't have this
    "Payload en" in mine. I assume it is an HTTP Payload as NETMON Frame Detail provides; unless
    encrypted, that shows the data being passed and is indeed important in diagnosis. You may like
    TCPView from SysInternals; I like the counts & intervals. It shows the process name w/the PID&TID.

    Interesting about HOSTS. I've been blocking sites for many years, way back to Win3. Maybe
    my browsers just interrogate HOSTS. Not familiar w/OpenDNS. Does it have a default database of specific
    URLs that it blocks automatically? The HOSTS blocker I use updates their file a few times a year;
    their last update caught 1 that I had already done, but I like it because they do the up-front work in
    deciding what to block, while I can always add mine. Does OpenDNS have wildcard capability, unlike HOSTS?
     
  11. julio99

    julio99 Senior Member

    Joined:
    Aug 12, 2010
    Messages:
    209
    Likes Received:
    2
    I was just about to send you a hyperlink to OpenDNS, but then I thought the forrum probably has some rules about links to other sites for whatever reason and I don't need them to get pissed at me for posting links. Better safe than sorry, right. I have TCPview. I went to look it up and I just happened to notice it on my Desktop. Pretty helpful little app. As for the HOSTS file, I used a little program called HOSTS mechanic that you just added the URL to the line and it auto added the site you wanted blocked with the 127.0.0.1 right in front of it to save you the time of hunting it down every time yourself. It is in a weird spot isn't it? C:\Windows\System32\drivers\etc\Hosts; I hated looking that up all the time. Half the time I forgot where it was and I had to Google it just to find where to go, ergo, the HOSTS Mechanic app.LOL!!! As for OpenDNS, I'm sending you a screen of the page where I set up my personal filtering. You can set it up a few different ways. Site by site, or you can let OpenDNS do it for you in wholeas you will see in the screen. I am familiar with the HOSTS blocker that you use that adds about 100 or so names automatically and then updates at intervals. You use IE as your browser right? The HOSTS file works great with IE. I just added IE10. It is pretty fast for a Microsoft product. They have finally started to pay attention to their customers as far as browsers go. They just about went in the toilet before they woke up and started getting with it. I used to uninstall anything IE from my machine until I tried 10 and then I kept it. You can get rid of a lot of the adds and it has finally become more security conscious.
    As you can see in this screen you can see some of the individual pages that I wanted gone. When you go to post a page they ask you if you want to filter everything that goes with the site or just that page, so you have a choice. Check it out sometime. It's all free.
    ODNS.PNG
     
    #11 julio99, Mar 16, 2013
    Last edited: Mar 16, 2013

Share This Page

Loading...