Excessive traffic between AD server and PC stations on port 445

Question

Excessive traffic between AD server and PC stations on port 445

Richard Eduardo Sánchez Castro 26

We have about 250 coputers conected to our AD server, GPOs an authentication are aplied.

As shown on picture, while monitoring traffic on server, it sends about 500000 B/s to many hosts, about 15 of them.

I run a netstat on server it show that connections are stablished on port 445

When monitoring on my firewall all the traffic from my server 192.168.1.9 its ends up being a lot 416GB from 3 days.

Here goes the question. Is it a normal behaivor from my AD server. Can I anyway reduce this traffic?

Accepted answer

3 additional answers

Your answer

Answer 1

Gary Reynolds 9,621

Hi @Richard Eduardo Sánchez Castro

With the level of information provided, it's difficult to be able to confirm if this is normal or not. However, here are a few points that might help.

The port 445 is for CIFS\file access, and as this is the DC, it's likely to be DFS\File share access. It's normal for a workstation to talk to the DC, as they will read the sysvol share when applying GPOs. The Computer Management console is able to provide some limited information on the sessions and files that are currently being accessed.

As for the 416GB transferred over three days, it hard to say if this is normal or not, it depends on the network topology, and the workstation workloads. It could be backup traffic, files access, patching or any number of reasons. Without a breakdown of the traffic based on source and target addresses and ports it difficult to know what this is. If you want to get more details, check if the firewall provides more details on the traffic type, with source and target information or use a network capture software such as Wireshark to get more info.

Is the volume of network traffic causing any issues, if not, and the server is working OK, I wouldn't be to concerned based on the information provided.

Gary.

Richard Eduardo Sánchez Castro 26 Reputation points

2022-02-17T20:19:38.227+00:00

Dear Gary, thanks for answer, in our case we dont push any automatic updates via GPOs, or any patching. The only shares we have on the AD server are related to wallpaper and screensaver. Server is working ok but I had the concern just in case it could cause some problee. If it's posible for you to check, I posted some captures on the ansewr from "LimitlessTechnology-2700 " related with my network share. Thank you.
Gary Reynolds 9,621 Reputation points

2022-02-17T21:42:30.277+00:00

From the details provided, I don't think there is anything to worry about. If you want to reduce the traffic to the domain controller and the attack surface and you have another server, you might want to think about moving the Fondo_Pantella share to another server.

Gary.
Gary Reynolds 9,621 Reputation points

2022-02-22T19:49:11.953+00:00

Hi

Just checking if there is any progress or update on this one?
Richard Eduardo Sánchez Castro 26 Reputation points

2022-02-24T14:28:51.977+00:00

Thanks for the feedback, I'll try moving the share to another server. So just to be clear everytime a computer "reads" the wallpaper GPO, it actually consumes traffic equal to the wallpaper size (for example 0,5 Mbs).?
Gary Reynolds 9,621 Reputation points

2022-02-25T14:14:31.68+00:00

It will depend on how you have set-up the GPO to push the screensaver, but yes that is possible.

Gary.
Aditya Mesta 0 Reputation points

2023-04-27T15:03:42.2066667+00:00

Hi Gary,

Glad that I found your answer. I am facing similar issue. In my firewall report, I see atleast 5-10 new machines everyday, with high network utilisation(smbv3 traffic) of 3-5gb per day. These are normal machines and users cannot install any software. No high utilisation on any machine on Sunday.

Wireshark trace on PDC to the client doesn't show traffic to AD but shows other TCP, SMB2 and looks normal. Did procmon, AV logs check, EV logs (smb) check - nothing could identify the issue. In Computer management on server, I see multiple users with about 250+ gpo policies related files opened.

What could be the possible reason and how to resolve it. Thanks in advance.

Answer 2

Limitless Technology 39,931

Hello @Richard Eduardo Sánchez Castro

The port 445 is commonly used by modern SMB traffic stack. If you have 250 computers, it doesn't sound strange to have 15 connections open (6%). It it highly depends from the access to shares in the .9 server and kind of data. For example is not the same if they edit Excel files, rather than they edit 4K video. My suggestion besides that, would be from the server to open Computer Management window, expand the System Tools on the navigation panel from the left, and then select Shared Folders. There you will find 3 folders:

Shares: Where are connections
Sessions: Who is connected
Open files: What is connected

This may give you additional insight of the Share usage and explain the traffic.

Hope this helps with your query,

---------
--If the reply is helpful, please Upvote and Accept as answer--

Richard Eduardo Sánchez Castro 26 Reputation points

2022-02-17T19:58:47.42+00:00

Thank's for reply.

Dear LimitlessTechnology-2700, the AD server doesn´t works like a file server where users share files and folders, however we push a wallpaper and a screensaver through GPOs. I share a screen of shared resources.

I also checked opened files section and there are a lot of open files releted to wallpaper andscreensaver.

In our AD server we havo some other GPOs related with user authentication, blocking external devices, but nothing related with windows updates via the AD server.

I would apreciate any sugestion.
vinod priya 5 Reputation points

2023-02-24T16:24:56.2833333+00:00

did u able to reslove this matter , We are facing the same

Answer 3

stay puft 226

my ¢2

you can add a switch to net stat -abo for the exe and PID, then use procmon.exe to find out exactly what they are doing.

Richard Eduardo Sánchez Castro 26 Reputation points

2022-02-24T14:31:31.927+00:00

Thank you, I'll try to check it that way.
vinod priya 5 Reputation points

2023-02-24T16:24:04.8266667+00:00

Did ua ble to resolve this

Answer 4

vinod priya 5

Hi @Richard Eduardo Sánchez Castro Did u find sloution, im facing the same issue.

Richard Eduardo Sánchez Castro 26 Reputation points

2023-04-27T16:09:35.06+00:00

@vinod priya After some research and based on comments by @Gary Reynolds this behavior on the network in my case was produced because I push a wallpaper and screensaver through a GPO, so the excesive traffic is produced on port 445 by those shares, so I conlude its a normal. You can try to move the shares to another server as recomended or install some netflow monitoring on your network so you can keep track on it.

Share via

Excessive traffic between AD server and PC stations on port 445

3 additional answers

Your answer