Network Traffic

CarpeNoctem · 06-09-2009, 02:49 PM

Can someone help me with this entry in my Event Viewer?

I am creating a small home-based business network for a CAD company and I don't fully understand some of these entries.

The Server has 2 NICS one 192.168.0 and the other 192.168.11. The server is running Windows Server 2003. The .0 Subnet has the house's personal computers. The .11 Subnet has their workstations.

For a little background, they are a home based business who hires CAD Operators and ships out computers to them so they can work from home. The company pays for an upgraded ISP connection which will make VPN connections fast enough to tolerate. It's actually a good idea because there are more baby boomer CAD operators than any generation who would love to work from home after working in an office 8-12 hours a day for 15-25 years.

Anyways, I am getting Anonymous Logons from a computer in the .0 network in the event viewer.

I find this strange because the server's .0 NIC is connected to the router and the .11 NIC is connected to a switch. So every workstation on the .11 subnet goes through the switch to get the the server and their home computers connect directly to the router and the router to the cable modem. This separates the two so that traffic generated by their personal computer will not affect performance on their work computers. When they were all on one subnet, their network programs (located on server) started slower and lagged. I am unclear why the computers on the .0 subnet are trying to log into the server. They shouldn't even be able to see the workstations on the .11 subnet. Here is the event viewer...

Code:

Successful Network Logon:
 	User Name:	
 	Domain:		
 	Logon ID:		(0x0,0x4AC98)
 	Logon Type:	3
 	Logon Process:	NtLmSsp 
 	Authentication Package:	NTLM
 	Workstation Name:	ROBUT
 	Logon GUID:	-
 	Caller User Name:	-
 	Caller Domain:	-
 	Caller Logon ID:	-
 	Caller Process ID: -
 	Transited Services: -
 	Source Network Address:	192.168.0.198
 	Source Port:	0

My question is, Is this normal? And if it is normal, will it affect network traffic?

They constantly use autodesk/3rd party network programs (LAN and inbound internet connections) so I need to make this network as efficient as possible. And this is the only thing I can see which is out of place. Your help is very much appreciated. Thank you!

BTW I've been out of the networking/server administration scene for 7 or so years (yes, server 2003 is new to me lol) and am trying to get all of this knowledge back. So I may have more questions :P

vampist · 06-09-2009, 04:47 PM

Well.. I am definitely not the one to help you completely.. But have you checked what is at 192.168.0.198?
The login type is a network login. (could be shared files, or printer)
Do you have a computer with the workstation name "ROBUT"?
The source port is sort of strange..

CarpeNoctem · 06-09-2009, 06:06 PM

Quote:

Originally Posted by vampist

Well.. I am definitely not the one to help you completely.. But have you checked what is at 192.168.0.198?
The login type is a network login. (could be shared files, or printer)
Do you have a computer with the workstation name "ROBUT"?
The source port is sort of strange..

Thanks, that's a good idea about shared files. I'll have to disable shared files on their computers and look at what happens in the event viewer. ROBUT is one of their personal computers on the .0 subnet. I am just unsure of why there was traffic generated. I live across town from this small business/home network so I want to make sure everything is in tip top shape when I finish setting it up. And so far this is the only thing going on in the server that is unfamiliar and unplanned.

I'm pretty much stumped because the .11 computers should not be able to see any of the computers on the .0 subnet.

They have quite a few personal computers on the .0 subnet but only this one computer named ROBUT is connecting to the server.

vampist · 06-09-2009, 07:07 PM

Quote:

Originally Posted by CarpeNoctem

Thanks, that's a good idea about shared files. I'll have to disable shared files on their computers and look at what happens in the event viewer. ROBUT is one of their personal computers on the .0 subnet. I am just unsure of why there was traffic generated. I live across town from this small business/home network so I want to make sure everything is in tip top shape when I finish setting it up. And so far this is the only thing going on in the server that is unfamiliar and unplanned.

I'm pretty much stumped because the .11 computers should not be able to see any of the computers on the .0 subnet.

They have quite a few personal computers on the .0 subnet but only this one computer named ROBUT is connecting to the server.

Well that one connection wasn't on the .11 subnet it was on the .0 subnet.
Unless that connection is from a log ON the .11 subnet.. Then you have a problem lol.. but yeah I would check out .0.192.

CarpeNoctem · 06-09-2009, 09:59 PM

Actually you're correct, the log file is on a server on the .11 subnet. The .0 subnet has no server between the personal computers and the router, while the workstations are connected to the router through a server. I did this to separate work traffic from the owners kids traffic specifically.

The reason I put the server in is because they need to use their office LAN software over the internet. So I set them up on VPN and the company is profitable enough to upgrade their workers internet at home to be efficient.

There were lags in the software that were not due to internet connectivity. I narrowed it down to the owners son's playing LAN games together (not over the internet). So I decided to separate the traffic of the workstations from the personal computers. But this kinda defeats the purpose.

ROBUT is the owners personal computer so it's not as detrimental as the LAN gaming computers.

user12 · 06-11-2009, 11:27 AM

what type of packets is it sending?

CarpeNoctem · 06-11-2009, 03:01 PM

It turns out the owner was using a wifi card on his workstation (in addition to his ethernet NIC) to listen to music from his personal computer's shared folders. I stopped the file sharing, stopping the traffic from the .0 subnet. Thanks for everyone's input.

vampist · 06-11-2009, 04:55 PM

Quote:

Originally Posted by CarpeNoctem

It turns out the owner was using a wifi card on his workstation (in addition to his ethernet NIC) to listen to music from his personal computer's shared folders. I stopped the file sharing, stopping the traffic from the .0 subnet. Thanks for everyone's input.

Welcome

06-09-2009, 02:49 PM	#1
CarpeNoctem Daemon Poster Join Date: Oct 2004 Posts: 1,274	Network Traffic Can someone help me with this entry in my Event Viewer? I am creating a small home-based business network for a CAD company and I don't fully understand some of these entries. The Server has 2 NICS one 192.168.0 and the other 192.168.11. The server is running Windows Server 2003. The .0 Subnet has the house's personal computers. The .11 Subnet has their workstations. For a little background, they are a home based business who hires CAD Operators and ships out computers to them so they can work from home. The company pays for an upgraded ISP connection which will make VPN connections fast enough to tolerate. It's actually a good idea because there are more baby boomer CAD operators than any generation who would love to work from home after working in an office 8-12 hours a day for 15-25 years. Anyways, I am getting Anonymous Logons from a computer in the .0 network in the event viewer. I find this strange because the server's .0 NIC is connected to the router and the .11 NIC is connected to a switch. So every workstation on the .11 subnet goes through the switch to get the the server and their home computers connect directly to the router and the router to the cable modem. This separates the two so that traffic generated by their personal computer will not affect performance on their work computers. When they were all on one subnet, their network programs (located on server) started slower and lagged. I am unclear why the computers on the .0 subnet are trying to log into the server. They shouldn't even be able to see the workstations on the .11 subnet. Here is the event viewer... Code: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x4AC98) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: ROBUT Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.0.198 Source Port: 0 My question is, Is this normal? And if it is normal, will it affect network traffic? They constantly use autodesk/3rd party network programs (LAN and inbound internet connections) so I need to make this network as efficient as possible. And this is the only thing I can see which is out of place. Your help is very much appreciated. Thank you! BTW I've been out of the networking/server administration scene for 7 or so years (yes, server 2003 is new to me lol) and am trying to get all of this knowledge back. So I may have more questions :P __________________ How many people can read hex if only you and dead people can read hex? Start using reputation points!!!

06-09-2009, 04:47 PM	#2
vampist Fully Optimized Join Date: Oct 2008 Posts: 2,345	Re: Network Traffic Well.. I am definitely not the one to help you completely.. But have you checked what is at 192.168.0.198? The login type is a network login. (could be shared files, or printer) Do you have a computer with the workstation name "ROBUT"? The source port is sort of strange.. __________________ Everyone's Favorite Turd xD ET: "Phone home!" Geek: "ping 127.0.0.1" "If that guy knew half the $h*t that I know, his fuzzy little head would explode. " - Matthew Farrell

06-09-2009, 09:59 PM	#5
CarpeNoctem Daemon Poster Join Date: Oct 2004 Posts: 1,274	Re: Network Traffic Actually you're correct, the log file is on a server on the .11 subnet. The .0 subnet has no server between the personal computers and the router, while the workstations are connected to the router through a server. I did this to separate work traffic from the owners kids traffic specifically. The reason I put the server in is because they need to use their office LAN software over the internet. So I set them up on VPN and the company is profitable enough to upgrade their workers internet at home to be efficient. There were lags in the software that were not due to internet connectivity. I narrowed it down to the owners son's playing LAN games together (not over the internet). So I decided to separate the traffic of the workstations from the personal computers. But this kinda defeats the purpose. ROBUT is the owners personal computer so it's not as detrimental as the LAN gaming computers. __________________ How many people can read hex if only you and dead people can read hex? Start using reputation points!!!

06-11-2009, 11:27 AM	#6
user12 In Runtime Join Date: Oct 2005 Posts: 140	Re: Network Traffic what type of packets is it sending?

06-11-2009, 03:01 PM	#7
CarpeNoctem Daemon Poster Join Date: Oct 2004 Posts: 1,274	Re: Network Traffic It turns out the owner was using a wifi card on his workstation (in addition to his ethernet NIC) to listen to music from his personal computer's shared folders. I stopped the file sharing, stopping the traffic from the .0 subnet. Thanks for everyone's input. __________________ How many people can read hex if only you and dead people can read hex? Start using reputation points!!!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode