http://www.ISAserver.org ------------------------------------------------------- Hi Jim, I ran defender and spybot search&destroy on the workstation and both came up clean, (apart from vnc), the workstation is fully patched and is running trend CSM. Personally id send you the capture in a second but the owner is paranoid, (I think that's the right word) if I haven't figured it out soon I may have to admit defeat and rebuild the workstation, that's not the problem though, if he "wins", I'm going to have to remove the FWC's , and I don't want to go there. Thanks for the gut feeling though, ill carry on this track for a bit longer. Hi Tom, if any user in the domain sends this user an email it takes around 5 minutes to get to this user, if anyone sends an email to a distribution group that this user is a member of, everyone else has received the email (and received their cup of tea ;-) by the time this user gets the email. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 17 November 2006 16:50 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Help reading an ethereal capture http://www.ISAserver.org ------------------------------------------------------- This smells more like malware than anything else. Mind sending the whole capture? You can send to me privately if you want. MS NDA applies, of course. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve diMascio Sent: Friday, November 17, 2006 08:46 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Help reading an ethereal capture http://www.ISAserver.org ------------------------------------------------------- I'm trying to solve a problem I'm having with one of my workstations that intermittently takes ages to receive email, even from local users, (around 5 minutes anyway). The company owner thinks its a firewall client issue, as he never used them in the past but since I installed the FWC on every workstation this has happened (only to one of the workstations) - that's the whole of his "theory". I don't think its a FWC issue but since I haven't been able to give a definite reason, or prove its not the FWC he's sticking to his "theory". Its an SBS2k3 network 40 workstations 2 member servers (1 is voip the other a TS), obviously exchange and ISA is on the SBS box, although I'm planning on moving ISA to its own hardware over the Christmas break. I've taken a network capture but am pretty useless at reading them. So I compared the capture to a capture taken on a working desktop and the only differences I can see between them are the one that doesn't work has hundreds of lines like this. Source 10.0.0.135 Destination 0.0.0.0 Protocol TCP Info 33037 > 0 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0 There are litterally hundreds of these in a 6 minute capture. The frame number goes up by 1 and the source port changes randomly (seemingly), I've search google but haven't found anything that tells me what this traffic is. Can anyone point me in the right direction, or have any good references for reading ethereal captures ? ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx