TCP Application myHive

  • 3
  • Question
  • Updated 3 years ago
  • (Edited)
Hi All,

We've got a MAC on the network which has very high TCP Application usage.
It's showing as over 8GB in a 24hour period.
The next highest usage is 200MB from another machine.

Any ideas what this might be? Would any software like TimeMachine or Dropbox be recording in this application type?


Thanks

EDIT: Just to add, it's done 43GB in the last 7days
Photo of James Ison-Stierer

James Ison-Stierer

  • 2 Posts
  • 0 Reply Likes
  • like it's FRIDAY!

Posted 3 years ago

  • 3
Photo of boogins

boogins

  • 26 Posts
  • 3 Reply Likes
Do you have access to your organization's firewall?  Normally, they are configured to retain the records of all network traffic going through it.  It's normally pretty easy to filter the data on a single device and see what kind of traffic it is generating.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I suspect that James does not have an application aware firewall or he would not be asking this question?

If you -do- have an application aware firewall, as boogins says, definitely go and look there first.

If not and where the built-in AVC isn't giving you enough detail to go on, some more detailed investigation will be required.

If this traffic pattern repeating? If so, are you able to go and visit this Mac or its user to inspect it first hand?

If not, a packet capture and some brief analysis would be helpful as you would be able to see the source address, destination address and destination port. Potentially, you will see the contents too if it's not encrypted.

It's always best, but not essential, to get the setup/handshake that goes on with this type of thing if possible as it typically gives more information.

You are able to perform a remote packet capture via the AP if necessary:
http://blogs.aerohive.com/blog/the-wireless-lan-architecture-blog-2/innovative-wi-fi-how-to-do-packe...
Photo of James Ison-Stierer

James Ison-Stierer

  • 2 Posts
  • 0 Reply Likes
Thanks - No application aware firewall but didn't know about the remote sniffer - will give that a go or next time I'm on site I'll try track down the user.
Cheers
Photo of Dawn Douglass

Dawn Douglass

  • 67 Posts
  • 3 Reply Likes
I have seen this on a Mac where the user had a very large network home folder.
Photo of glenstorey .

glenstorey .

  • 5 Posts
  • 0 Reply Likes
I've been having the same trouble. It looks like it's a rogue printer driver or some kind of streaming service on udp/8612 (I don't know how radio streaming could hit 13 gig in 2 hours though). I haven't had a chance to investigate on the computer itself but this seems to be the culprit. 
See here and here for more info.
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Canon network printers use UDP 8612 and a large run of graphical printing could explain the large amount of traffic.
(Edited)