On a small network using 'Internet Conection Sharing',
one or two of the client computers are dialling out at
random. How can I detect which computer is doing it and
what application is the cause?

"David Morgan" <(E-Mail Removed)> wrote in message
news:02ae01c34268$8677b550$(E-Mail Removed)...
> On a small network using 'Internet Conection Sharing',
> one or two of the client computers are dialling out at
> random. How can I detect which computer is doing it and
> what application is the cause?


The best way I've found to diagnose this is to
download and install the free version of ZoneAlarm.

Look carefully on the ZoneLabs website,
the free version is often rather obscured from view.

Install it on all the machines.
Then it will flag up the programs which are attempting to 'phone home'.

--
Best Regards,
Ron Lowe
MS-MVP Windows Networking

"David Morgan" <(E-Mail Removed)> wrote in message
news:02ae01c34268$8677b550$(E-Mail Removed)...
> On a small network using 'Internet Conection Sharing',
> one or two of the client computers are dialling out at
> random. How can I detect which computer is doing it and
> what application is the cause?


The best way I've found to diagnose this is to
download and install the free version of ZoneAlarm.

Look carefully on the ZoneLabs website,
the free version is often rather obscured from view.

Install it on all the machines.
Then it will flag up the programs which are attempting to 'phone home'.

--
Best Regards,
Ron Lowe
MS-MVP Windows Networking

In article <(E-Mail Removed)>, "Ron Lowe"
<ron.lowe@{DELETE}btinternet.com> wrote:
>"David Morgan" <(E-Mail Removed)> wrote in message
>news:02ae01c34268$8677b550$(E-Mail Removed)...
>> On a small network using 'Internet Conection Sharing',
>> one or two of the client computers are dialling out at
>> random. How can I detect which computer is doing it and
>> what application is the cause?
>
>
>The best way I've found to diagnose this is to
>download and install the free version of ZoneAlarm.
>
>Look carefully on the ZoneLabs website,
>the free version is often rather obscured from view.
>
>Install it on all the machines.
>Then it will flag up the programs which are attempting to 'phone home'.

I'm using ZoneAlarm right now to find out why booting an ICS client
computer on my network causes the host to dial, Ron. Here's the alert
that it gives:

Do you want to allow Generic Host Process for Win32 Services to
access the local network?

Destination IP: 192.168.0.1NS
Application: svchost.exe

It dials as soon as I say "yes".

I've disabled Windows Update and every startup item that I can find.
I don't know what's making the DNS call or what name it's trying to
look up. It's interesting that it's trying to access the local
network, not the Internet, but it dials anyway. Any idea how to make
it stop?
--
Thanks,
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <(E-Mail Removed)>, "Ron Lowe"
> <ron.lowe@{DELETE}btinternet.com> wrote:
> >"David Morgan" <(E-Mail Removed)> wrote in message
> >news:02ae01c34268$8677b550$(E-Mail Removed)...
> >> On a small network using 'Internet Conection Sharing',
> >> one or two of the client computers are dialling out at
> >> random. How can I detect which computer is doing it and
> >> what application is the cause?
> >
> >
> >The best way I've found to diagnose this is to
> >download and install the free version of ZoneAlarm.
> >
> >Look carefully on the ZoneLabs website,
> >the free version is often rather obscured from view.
> >
> >Install it on all the machines.
> >Then it will flag up the programs which are attempting to 'phone home'.
>
> I'm using ZoneAlarm right now to find out why booting an ICS client
> computer on my network causes the host to dial, Ron. Here's the alert
> that it gives:
>
> Do you want to allow Generic Host Process for Win32 Services to
> access the local network?
>
> Destination IP: 192.168.0.1NS
> Application: svchost.exe
>
> It dials as soon as I say "yes".
>
> I've disabled Windows Update and every startup item that I can find.
> I don't know what's making the DNS call or what name it's trying to
> look up. It's interesting that it's trying to access the local
> network, not the Internet, but it dials anyway. Any idea how to make
> it stop?
> --
> Thanks,
> Steve Winograd, MS-MVP (Windows Networking)
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com

Is that what ZA reports on the client ?

So the client is doing a DNS lookup.
It has obtained the DNS server address of 192.168.0.1
because ICS does that by default. ( DNS forwarding by the host. )

I'd guess seems some *service* is doing DNS lookup.

When I don't know what's going on, I usually fall back on a sniffer.
Try downloading ethereal ( and the winpcap drivers that it requires )
and running it on the host. Start a capture, and then boot the client.

See what traffic there is.

There will be a bunch of noise when the client boots: DHCP, browser
announcements etc.
Look for DNS queries.

See what is being resolved.

Is it a local machine or an external one?


--
Best Regards,
Ron Lowe
MS-MVP Windows Networking

>-----Original Message-----
>On a small network using 'Internet Conection Sharing',
>one or two of the client computers are dialling out at
>random. How can I detect which computer is doing it and
>what application is the cause?
>.
>I'm having an identical problem. I've found that the
second machine (the one WITHOUT the internet access)
seems to be trying to search for connectivity. I've
eliminated the problem by disconnecting the crossover
cable.

I've looked for virus' and found none (latest NAV def's).

TO MICROSOFT SUPPORT:

What's up with this?

"Jim" <(E-Mail Removed)> wrote in message news:<043201c3437c$ae09f640W32.Randex.D virus.

http://www.symantec.com/avcenter/ven....randex.d.html

In article <#(E-Mail Removed)>, "Ron Lowe"
<ron.lowe@{DELETE}btinternet.com> wrote:
>"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> I'm using ZoneAlarm right now to find out why booting an ICS client
>> computer on my network causes the host to dial, Ron. Here's the alert
>> that it gives:
>>
>> Do you want to allow Generic Host Process for Win32 Services to
>> access the local network?
>>
>> Destination IP: 192.168.0.1NS
>> Application: svchost.exe
>>
>> It dials as soon as I say "yes".
>
>Is that what ZA reports on the client ?
>
>So the client is doing a DNS lookup.
>It has obtained the DNS server address of 192.168.0.1
>because ICS does that by default. ( DNS forwarding by the host. )
>
>I'd guess seems some *service* is doing DNS lookup.
>
>When I don't know what's going on, I usually fall back on a sniffer.
>Try downloading ethereal ( and the winpcap drivers that it requires )
>and running it on the host. Start a capture, and then boot the client.
>
>See what traffic there is.
>
>There will be a bunch of noise when the client boots: DHCP, browser
>announcements etc.
>Look for DNS queries.
>
>See what is being resolved.
>
>Is it a local machine or an external one?

Thanks for your reply, Ron. I've installed Ethereal and WinPcap on
the ICS host. What great programs! It's amazing to actually see
things like DHCP, browser announcements, SSDP, and DNS in action. I'm
probably going to spend way too much time sniffing and examining
packets. ;-)

I found a completely unexpected result: ZoneAlarm itself was issuing a
DNS lookup when the client computer booted, causing the host computer
to dial. It was resolving the name "lockup.zonealarm.com". ZA's
"True Vector Internet Monitor" runs as a service, so svchost.exe was
the source.

When I disabled ZoneAlarm and rebooted, the host stopped dialing when
the client boots!

P.S.

I found another thing that can cause DNS lookups: if the client's DNS
suffix (primary or connection-specific) is different than the host's,
the client's attempts to look up computer names (e.g. comp.mshome.net)
by DNS can't be resolved locally by the host.
--
Thanks!
Steve Winograd, MS-MVP (Windows Networking)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Thanks for your reply, Ron. I've installed Ethereal and WinPcap on
> the ICS host. What great programs! It's amazing to actually see
> things like DHCP, browser announcements, SSDP, and DNS in action. I'm
> probably going to spend way too much time sniffing and examining
> packets. ;-)
>
> I found a completely unexpected result: ZoneAlarm itself was issuing a
> DNS lookup when the client computer booted, causing the host computer
> to dial. It was resolving the name "lockup.zonealarm.com". ZA's
> "True Vector Internet Monitor" runs as a service, so svchost.exe was
> the source.
>
> When I disabled ZoneAlarm and rebooted, the host stopped dialing when
> the client boots!
>
> P.S.
>
> I found another thing that can cause DNS lookups: if the client's DNS
> suffix (primary or connection-specific) is different than the host's,
> the client's attempts to look up computer names (e.g. comp.mshome.net)
> by DNS can't be resolved locally by the host.
> --
> Thanks!
> Steve Winograd, MS-MVP (Windows Networking)
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com


< Just back online after house move and new ISP : 2Mbps:-) >

Yes, it's quite educational to see all of what's going on.
Indeed, you can spend too long messing with it.
Sometimes the only way to determine what's happening.

Here's an educational trick:
Create a hidden share on a 'server'. Say 'test$'.
Go to the sniffer machine, and start a capture.
Command prompt: net view \\server.
You get the usual list of shares, hidden shares not shown.
Stop the capture.
Look at the Share Enumeration, expand it up.
All present and correct. Including hidden ones!
Just goes to show that hidden$ is only hidden if the client respects the $!

One thing to remember is that the sniffer will only see packets which are on
the wire to that machine. If you have a hub, then you see all traffic. But
in a switched environment, you only see traffic to/from the leg of the
switch you are on, as well as broadcasts ( like ARP requests, etc. ) This
sometimes causes confusion.

Sometimes, I will put a sniffer laptop and a small hub in-circuit to be able
to silently capture traffic on a wire to a machine under test.

Re: ZA... Is that service possibly an 'auto update' service which is
running, and can be disabled by shutting off auto update feature?

Re: DNS suffix: That's what I'd expect. That's essentially how a full-blown
DNS server would behave too.
Here's what happens:

Client is 'client', Primary DNS suffix is "domain1.com.
Client ( client.domain1.com): "ping otherpc"
Client DNS resolver: "hmm, not a FQDN. Let's append the primary suffix and
sumit to DNS"
Client DNS resolver: "dear 192.168.0.1, please resolve "otherpc.domain1.com"

Host and DNS mini-server, is 'host', Primary DNS suffix = mshome.net
Host: "Help! I can't resolve "otherpc.domain1.com"" locally, I only know
about 'mshome.net' locally.
Host: So I must go out on the Internet and resolve this external domain
'domain1.com'.

--
Best Regards,
Ron Lowe
MS-MVP Windows Networking