network lights flash when I'm not doing anything



Andy Fish
07-10-2005, 01:52 AM
Hi,

I have windows xp sp2 and the network indicator lights for my ethernet
connection are always on even when nothing is running on the system.

When I say "nothing running", I mean I have closed down all applications
(including explorer), and all processes that will close so the only things
left are lsass, winlogon, csrss, services, system and a couple of svchosts.

Both netstat and sysinternals TDIMon both show no tcp/udp activity, but
performance monitor reports between 500 and 1500 bytes per second (always
identical amounts sent and received), and the network status dialog window
also shows packets constantly in and out.

Rebooting doesn't help, and I have done a full virus scan which was clean.
The network adapter is an intel pro/1000 CT and I have never had any other
problems with it.

TIA for any clues

Andy

Chuck
07-10-2005, 01:52 AM
On Mon, 16 May 2005 12:26:06 +0100, "Andy Fish" <*email_address_deleted*> wrote:

>Hi,
>
>I have windows xp sp2 and the network indicator lights for my ethernet
>connection are always on even when nothing is running on the system.
>
>When I say "nothing running", I mean I have closed down all applications
>(including explorer), and all processes that will close so the only things
>left are lsass, winlogon, csrss, services, system and a couple of svchosts.
>
>Both netstat and sysinternals TDIMon both show no tcp/udp activity, but
>performance monitor reports between 500 and 1500 bytes per second (always
>identical amounts sent and received), and the network status dialog window
>also shows packets constantly in and out.
>
>Rebooting doesn't help, and I have done a full virus scan which was clean.
>The network adapter is an intel pro/1000 CT and I have never had any other
>problems with it.
>
>TIA for any clues
>
>Andy

Andy,

Is the mysterious traffic actually opening ports on your computer? Or is it
simple background noise, or probes from infected computers (that should be
blocked by your firewall which I hope you have)?

Since you have TDIMon from Sysinternals, you should also have Process Explorer
and TCPView. TCPView will show you if your computer is actually opening any
ports, and Process Explorer will show you more about any programs servicing any
interesting ports.

If you want to know still more about the mysterious traffic, get Port Explorer
(also free) from <http://www.diamondcs.com.au/portexplorer/index.php?page=home>.

And Andy, posting your email address openly will get you more unwanted email,
than wanted email. Learn to munge your email address properly, to keep yourself
a bit safer when posting to open forums. Protect yourself and the rest of the
internet - read this article.
http://www.mailmsg.com/SPAM_munging.htm

--
Cheers,
Chuck
http://nitecruzr.blogspot.com/
Paranoia is not necessarily a bad thing - it's a normal response from experience.
My email is AT DOT
actual address pchuck sonic net.

Andy Fish
07-10-2005, 01:52 AM
"Chuck" <none@example.net> wrote in message
news:2i8h81hob9tpupsi2ebbi7ddamt9knnpvm@4ax.com...
> On Mon, 16 May 2005 12:26:06 +0100, "Andy Fish" <*email_address_deleted*>
> wrote:
>
>>Hi,
>>
>>I have windows xp sp2 and the network indicator lights for my ethernet
>>connection are always on even when nothing is running on the system.
>>
>>When I say "nothing running", I mean I have closed down all applications
>>(including explorer), and all processes that will close so the only things
>>left are lsass, winlogon, csrss, services, system and a couple of
>>svchosts.
>>
>>Both netstat and sysinternals TDIMon both show no tcp/udp activity, but
>>performance monitor reports between 500 and 1500 bytes per second (always
>>identical amounts sent and received), and the network status dialog window
>>also shows packets constantly in and out.
>>
>>Rebooting doesn't help, and I have done a full virus scan which was clean.
>>The network adapter is an intel pro/1000 CT and I have never had any other
>>problems with it.
>>
>>TIA for any clues
>>
>>Andy
>
> Andy,
>
> Is the mysterious traffic actually opening ports on your computer? Or is
> it
> simple background noise, or probes from infected computers (that should be
> blocked by your firewall which I hope you have)?
>
> Since you have TDIMon from Sysinternals, you should also have Process
> Explorer
> and TCPView. TCPView will show you if your computer is actually opening
> any
> ports, and Process Explorer will show you more about any programs
> servicing any
> interesting ports.
>
> If you want to know still more about the mysterious traffic, get Port
> Explorer
> (also free) from
> <http://www.diamondcs.com.au/portexplorer/index.php?page=home>.
>
> And Andy, posting your email address openly will get you more unwanted
> email,
> than wanted email. Learn to munge your email address properly, to keep
> yourself
> a bit safer when posting to open forums. Protect yourself and the rest of
> the
> internet - read this article.
> http://www.mailmsg.com/SPAM_munging.htm
>

Thanks for the advice chuck

It definitely doesn't seem to be opening ports on the computer. AFAIK if it
was TCP or UDP traffic (i.e. anything that could be picked up by port
exporer or TCPView, It would be picked up by TDIMon. I guess it could be
caused by other non-IP related noise on the network as it's on a small LAN.

It seems to have stopped now :-\ If it happens again, I think I'll unplug
the other boxes on the LAN and see if that makes a diference

Andy
(btw, not my real name or email address)

> --
> Cheers,
> Chuck
> http://nitecruzr.blogspot.com/
> Paranoia is not necessarily a bad thing - it's a normal response from
> experience.
> My email is AT DOT
> actual address pchuck sonic net.

Chuck
07-10-2005, 01:52 AM
On Mon, 16 May 2005 16:38:21 +0100, "Andy Fish" <ajfish@blueyonder.co.uk> wrote:

>
>"Chuck" <none@example.net> wrote in message
>news:2i8h81hob9tpupsi2ebbi7ddamt9knnpvm@4ax.com...
>> On Mon, 16 May 2005 12:26:06 +0100, "Andy Fish" <*email_address_deleted*>
>> wrote:
>>
>>>Hi,
>>>
>>>I have windows xp sp2 and the network indicator lights for my ethernet
>>>connection are always on even when nothing is running on the system.
>>>
>>>When I say "nothing running", I mean I have closed down all applications
>>>(including explorer), and all processes that will close so the only things
>>>left are lsass, winlogon, csrss, services, system and a couple of
>>>svchosts.
>>>
>>>Both netstat and sysinternals TDIMon both show no tcp/udp activity, but
>>>performance monitor reports between 500 and 1500 bytes per second (always
>>>identical amounts sent and received), and the network status dialog window
>>>also shows packets constantly in and out.
>>>
>>>Rebooting doesn't help, and I have done a full virus scan which was clean.
>>>The network adapter is an intel pro/1000 CT and I have never had any other
>>>problems with it.
>>>
>>>TIA for any clues
>>>
>>>Andy
>>
>> Andy,
>>
>> Is the mysterious traffic actually opening ports on your computer? Or is
>> it
>> simple background noise, or probes from infected computers (that should be
>> blocked by your firewall which I hope you have)?
>>
>> Since you have TDIMon from Sysinternals, you should also have Process
>> Explorer
>> and TCPView. TCPView will show you if your computer is actually opening
>> any
>> ports, and Process Explorer will show you more about any programs
>> servicing any
>> interesting ports.
>>
>> If you want to know still more about the mysterious traffic, get Port
>> Explorer
>> (also free) from
>> <http://www.diamondcs.com.au/portexplorer/index.php?page=home>.
>>
>> And Andy, posting your email address openly will get you more unwanted
>> email,
>> than wanted email. Learn to munge your email address properly, to keep
>> yourself
>> a bit safer when posting to open forums. Protect yourself and the rest of
>> the
>> internet - read this article.
>> http://www.mailmsg.com/SPAM_munging.htm
>>
>
>Thanks for the advice chuck
>
>It definitely doesn't seem to be opening ports on the computer. AFAIK if it
>was TCP or UDP traffic (i.e. anything that could be picked up by port
>exporer or TCPView, It would be picked up by TDIMon. I guess it could be
>caused by other non-IP related noise on the network as it's on a small LAN.
>
>It seems to have stopped now :-\ If it happens again, I think I'll unplug
>the other boxes on the LAN and see if that makes a diference

Andy,

Well, if it's not opening ports on the computer detecting the traffic, there's
probably not too much to worry about there. But it wouldn't hurt to watch the
other computers, in case it doesn't originate on the WAN / Internet.

TDIMon - another SysInternals utility that I haven't played with. %-}

--
Cheers,
Chuck
http://nitecruzr.blogspot.com/
Paranoia is not necessarily a bad thing - it's a normal response from experience.
My email is AT DOT
actual address pchuck sonic net.


network lights flash when I'm not doing anything