PRTG Network Monitor - Query

[Griffin NoName]

I downloaded and installed PRTG Network Monitor as I am suddenly using huge amount of bandwidth compared to my normal amount and I wanted to investigate.

During installation I was asked whether I wanted to do something or other with address 192.168.1.81 - it implied I was best to say yes. It was something to do with security. It also seemed to be something to do with running a web server. Typically stupid I did not note what it actually said so this is from my memory and I think my brain is corrupt.

Anyway, having said yes, I continued on, and found that the software was hugely complex to use, way too much info, and I couldn't work out how to see what I actually wanted to see.

So, I uninstalled the s.w (using the PRTG uninstall). I assumed this would reset the 192.168.1.81 to original before installation.

I then downloaded and installed Stone Net Monitor (Softpedia NetMon) which is a dinky little program that shows all I want to know clearly and easy to read. (only thing it lacks, is it doesn't show application usage).

NetMon shows massive amounts of bytes received while I am not doing anything via 192.168.1.81 - normal ports plus 8000 which was definitely connected with PRTG.

Is this normal? Or has whatever was changed by the PRTG installation not been undone by the uninstall?

(I have searched the PRTG User Guide - tells me nothing - I have also googled but don't get anything sensible).

EDIT

I've been looking around at stuff. It's the source IP address, IPv4 TCP/IP that is set to 192.168.1.81 (not assigned, properties show it as default gateway) - I've no idea if this was set like this before I ran PRTG. Is "81" usual?

I've isolated the traffic: 192.168.81 -> 192.168.1.254 via port 8000 shows largest traffic  - so I guess that's alright as presume it is just traffic between laptop and router. Except I am not sure it was port 8000 prior to PRTG.

EDIT AGAIN

On second thoughts, I think IPv4 was source 192.168.1.1 and destination 192.168.1.2 before all this ? How do I reset? (using ipconfig just re-applies 192.168.1.81)

[Sibling Zono (anon1mat0)]

Chances are that the router is controlling the IPs on your network, normal installation uses DHCP and usually devotes a range of IPs for it, depending on the router those could be just besides the router main address (in your case likely 192.168.1.1) or separated (with my last router it uses .100+ for DHCP for instance). You should be able to configure the router to use any range you want although it isn't necessary unless you want to manually assign your IP in your adapter or assign an specific IP to an specific MAC address. I suspect you don't have that many devices connected to your router (normally your PC, and any other device like an iPod, tablet, phone on wifi or a network printer with it's own adapter). The less you have the lower the chance of IP conflicts and the need for specific IP assignments. The other reason is if you want to route specific traffic to your PC (like remote desktop) in which case the internal IP must remain fixed and the router must have a NAT table to which you tell which port goes routed to which internal IP (I would imagine that isn't your case either).

This whole babble points to one last thing: do you really need a sniffer in your home setup? Are the white vans parking on your driveway? 

[Bob in a quantum-state-of-faith]

What Zono said-- that .81 sounds like an internal device, like a laptop/pc, etc.   Certainly the first three: 192.168.1.  is more or less standard practice for local network assignments behind a router or switch.

Some installations need more than 255 addresses, and so change that up some-- typically assigning the 3rd number to specific departments, etc.  There really isn't a reason why you couldn't change it up to whatever you wished-- it's behind the router/switch, and as such (If I understand it right--possible I'm wrong) on the "world" side of the router, all traffic is routed to that number first, and the internal stuff gets redirected via the router/switch software suite.

[Griffin NoName]

This whole babble points to one last thing: do you really need a sniffer in your home setup? Are the white vans parking on your driveway?  

What have I described that is a sniffer?


The items that connect to the router are: Laptop, Kindle, Smart Phone. iTouch - no conflicts in the past. Smart Phone and Kindle working fine today, so, although I haven't checked the iTouch, I'm not worried.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To log onto my router I had bookmarked 192.168.1.254 a couple of years ago - so this hasn't changed. I just checked it.

I think it is my laptop address that has changed from 192.168.1.1 - to 192.168.1.81 and I think the port has been changed to 8000.

But I don't understand how this can have happened as I never entered my router password. ?

[Sibling Zono (anon1mat0)]

A "network monitor", that is, a tool that analyzes network traffic is what usually is called in the business as a sniffer.
--
The router will assign IPs however it likes depending on what IP is expiring and what is available, so it isn't impossible to jump from .1 to .81.

As for port 8000 this is a page with some info on programs using it:

http://www.speedguide.net/port.php?port=8000

Is the sniffer reporting high traffic on that port?

Last but not least, is your router wireless and you don't have a password for it??!?!?!!?

[Griffin NoName]

A "network monitor", that is, a tool that analyzes network traffic is what usually is called in the business as a sniffer.

NetMon shows massive amounts of bytes received while I am not doing anything via 192.168.1.81 - normal ports plus 8000 which was definitely connected with PRTG.

...........and, currently I have three sniffers LoL (they all sniff slightly different stuff).

This all started because my down bandwidth has rocketed in the last two months but I haven't been doing anything I haven't always done, so I want to see if I can pin down what is using all the extra bandwidth. Thanks for the link. I don't use any of the s/w it lists - I suppose I could have a trojan. Though seems unlikely with Norton. EDIT: scan on 8000 shows no open ports.

The router will assign IPs however it likes depending on what IP is expiring and what is available, so it isn't impossible to jump from .1 to .81.

Yes, but it was always "1" before, but nor after PRTG it's always "81" -

As for port 8000 this is a page with some info on programs using it:

http://www.speedguide.net/port.php?port=8000

Is the sniffer reporting high traffic on that port?

Yes. It's considerably higher than any other. Source 192.168.1.81 Destination 192.168.1.254

Last but not least, is your router wireless and you don't have a password for it??!?!?!!?

I think it is my laptop address that has changed from 192.168.1.1 - to 192.168.1.81 and I think the port has been changed to 8000.

But I don't understand how this can have happened as I never entered my router password. ?

Yes, of course my wireless router has a password.  I meant PRTG never asked me to enter it.

[Sibling Zono (anon1mat0)]

Are you perchance using your itouch to listen to music while connected to wifi? Considering that shoutcast uses port 8000 I wouldn't be surprised if the app you use for music listening is connecting to your PC while doing so, to confirm review the IP of the itouch (and if it is .254 that would solve the mystery).

Also, have you been using any torrent client? Those have some negative side effects on your regular bandwidth.

[Griffin NoName]

No, no, no. My iTouch is dead at present. I hardly ever use it and the battery is dead. I don't listen to any music on anything (except my analogue CD player from circa 1978). I've never used bit torrents. I never use any of the things port 8000 is listed for. Nothing used to use port 8000, now it does. I'm sure this is something to do with having had PRTG installed (now uninstalled). I just want to get back to port 80 like it used to be.

My PC was always 192.168.1.1 and my laptop 192.168.1.2 - I want it back that way.

{{{have just checked smart phone. it is 192.168.1.82 }}}

[Sibling Zono (anon1mat0)]

The fact that your phone is .82 confirms that DHCP is using that range.

Disclaimer:
The following instructions come without warranty, you may royally screw your network settings while playing with this, and the computer will be unusable re, the internet. Make changes at your own peril.

If you want to force .1 on your PC you have 2 ways:

1. Open your router administrator (that is, navigate to 192.168.1.255 if that is the internal IP) and look for the list of currently attached devices. Some routers have the option to assign a specific IP to a MAC address, and the MAC of the network adapter should be in the list besides it's IP. If your router doesn't support that functionality you have to use option 2.

or,

2. Note, this method requires you to enter the IP address of your ISP DNS server(s) or you will not be able to navigate to the internet.
   a. Open your router administrator and reconfigure the range of IPs assigned by DHCP so that they go from say 192.168.1.10 - 30, that will make the devices in the network change their IPs once their lease expires to a number in the range you specified.

   b. Once the DHCP range is set go to your computer and (in windows) go to: Network and Sharing Center|Change Adapter Settings| and depending on how you connect do a right click on Local Area Connection or Wireless Network Connection and select Internet Protocol Version 4 (TCP/IPv4).

   c. You have two options, you can force the specific IP (192.168.1.1 in your case) or make it the preferred IP (in case you use a laptop and you connect to the internet in other places), If you want to force it, on the General tab change the option from Optain an IP address automatically to Use the following IP address, where you will enter the desired IP. Usually the subnet will be filled automatically (255.255.255.0) and your default gateway will be the IP of the router (or 192.168.1.255 if I understood your case correctly). Below you will have to enter the DNS servers you found previously, note that some routers will act as a DNS server so you can enter the router's IP and it will work, but is many cases that will NOT work and you will need the DNS from your ISP.

[Griffin NoName]

Thanks.

I don't think it was using DHCP prior to all this.

[Sibling Zono (anon1mat0)]

It is certain that you were using DHCP, otherwise you would've had to set the IP for every single device you connected to your network.

[Griffin NoName]

Oh. Hmmm. This is all so annoying.

[Bob in a quantum-state-of-faith]

It is certain that you were using DHCP, otherwise you would've had to set the IP for every single device you connected to your network.

Oh, the days back-when, I was using Win 3.1.1 as an ad-hoc networking engine.  We'd fire that puppy up (pre-internet) to move files from one PC's hard drive to the next, typically to the one with the tape drive, for weekly archival duties.

I do remember asking about DHCP not long after that... and I also remember manually setting up the ISP addys on my networks.  This was when we finally migrated to Win95, as I recall.

That all takes me back.

[Bluenose]

Griff, could you run "ipconfig /all" from an elevated command prompt and post the results here?

If you're running Windows7 you'll need to click on the start menu, type command in the search box then right click on the command prompt entry in the search results then select "run as administrator"to get an elevated command prompt.

[Griffin NoName]

Running Vista Business SP 1

Windows IP Configuration

  Host Name . . . . . . . . . . . . : Laptop0908
  Primary Dns Suffix  . . . . . . . :
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

  Connection-specific DNS Suffix  . : home
  Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
  Physical Address. . . . . . . . . : 00-16-EA-25-D2-54
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::b968:2548:c6f2:70c1%11(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.1.81(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : 10 June 2013 22:10:57
  Lease Expires . . . . . . . . . . : 12 June 2013 16:31:17
  Default Gateway . . . . . . . . . : 192.168.1.254
  DHCP Server . . . . . . . . . . . : 192.168.1.254
  DHCPv6 IAID . . . . . . . . . . . : 369104618
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-75-E9-6E-00-1A-80-D6-AA-0A
  DNS Servers . . . . . . . . . . . : 192.168.1.254
  NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection
  Physical Address. . . . . . . . . : 00-1A-80-D6-AA-0A
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : isatap.{EA854BEC-15D0-40B1-B9F6-E093D1B667C7}
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : home
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 17:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : 6TO4 Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
  Physical Address. . . . . . . . . : 02-00-54-55-4E-01
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes


Incidentally, have run ipconfig /release ipconfig /renew - about a week ago now.