If you happen to be in close proximity to the machine in question, I recommend making a quick trip to check its network cable. Try pushing the RJ-45 connector onto the network cable more tightly, and see if there is play in the connector. When you think of a loose RJ-45 connector, it's easy to think of a connection that doesn't work at all. However, I've seen countless examples of a loose connector making partial contact with the cable, causing the machine to flood the network with retries.
One of the offices where I used to work was especially notorious for having this problem. Many of the employee's jobs required them to store lots of data on paper. Since storage space was tight, several employees would box up forms and place them under their desks. Often the boxes would sit on top of the network cable. Over time, the action of kicking the boxes or stacking additional boxes would pull on the network cable, causing it to become loose from the RJ-45 connector. If you work in such an environment, this should be one of the first things you check.
Look for malformed packets
Take another look at the data you captured earlier from your protocol analyser. You can learn a lot about the problem by examining the captured packets. For example, many protocol analysers have a mechanism that allows you to count malformed packets. While it's normal to have the occasional malformed packet, there's no way that a healthy machine should be spewing out large numbers of them. Generally, if a machine is generating lots of malformed packets, one of two things is occurring: either the network card is malfunctioning, or there's a Trojan infecting the machine and it's trying to use malformed packets in a denial of service attack against your network.
Of these two scenarios, a malfunctioning network card is much more likely to be the culprit than a Trojan -- assuming you have good network security in place. However, there are ways of finding out which is the culprit. One way is to make a Remote Installation Service (RIS) boot disk and boot the machine from it. When you boot your machine from a RIS boot disk, it will try to attach to a RIS server and allow you to remotely install an operating system.
For this particular test, you aren't interested in remotely installing an operating system. Instead, the RIS boot disk just provides you with a way of booting a network requestor outside of the operating system. When the machine has been booted from the RIS boot disk, you can check the protocol analyser again. If the machine is still sending out lots of malformed packets, you can be sure that the network card is either bad or needs to be reseated. If the malformed packets stop, then something in the operating system is causing the malformed packets. If this is the case, you should scan the machine with a pestware removal tool such as Lavasoft's Ad-Aware.
Check the port number
What if the machine is flooding the network with legitimate packets rather than malformed packets? You can use information within the packet to help figure out what's happening. For example, if you notice that most of the packets are being sent through ports ranging from 550 to 5503, there's a good chance that the user has installed Hot Line, a peer-to-peer file sharing program. If the data is flowing across port 5631, the user probably has a PC Anywhere session going on. If you go to the Internet Assigned Numbers Authority Web site, you can find a list of the various ports.
The port number isn't your only clue to determining the source of the problem. Check out the destination address. Is it internal or external? If the address is internal, it might be fairly easy to figure out who the machine is trying to communicate with and what the user is trying to do. If the address is external, you may have to use the port number to track down the trouble spot.
Monitor activity as a last resort
If you've determined that the issue is definitely software-related, but you aren't sure if the user is doing something or if a Trojan has made it into the system, the best advice I can give you is to keep an eye on the user. You might try using a remote control session to monitor the user's activity. There are several good programs out there that will allow you to watch users without them knowing that they're being watched, although you will need to make sure this monitoring is in line with company policies.
If the user doesn't seem to be doing anything wrong, you'll probably have to scan the machine for viruses and other forms of malware to resolve the problem. If you suspect that a virus may be to blame, it's important to take care of the problem quickly before it spreads to other PCs.
