Have you checked the other computer, it might be a pull from that machine from this server.

Or

Write a cron job that pushes the output of ps to a file so that you can track out what process executes on the server at that time.

Yeah, I checked the XP machine and didn't find anything. I even wiped it and reloaded the machine just in case I happened to miss anything. The problem still occurs.

unSpawn, I did investigate the XP machine prior to wiping it. I didn't see anything on there scheduled to pull anything from that server. I wiped it and installed a base image used by hundreds of computers here to effectively say "if i did miss anything in my investigation, it is gone now". The motherboard and therefore on-board nic were even replaced as well.

My next guess step would be to look in to FTP logs or ssh logs.

I did the following on /var/log and i only get one result, real names substituted. should I be doing the same command in other places to find out?

[root@servername log]# grep -r computername *
Binary file wtmp.1 matches

My intention of going in to the logs is to see who tries to communicate with server, as the most probable way of data transfer could be ftp or scp.

Some good, solid information coming out now; you've really been working on this. Just to complete the set, can you change the name of the workstation? Give another workstation the same name? It sounds as if you've already covered all the other variations on the workstation side.

Regards "I'm not sure how to identify the processes that could be doing this", that's not a problem; we can work through it. Are you on site when the transfers are happening? Meaning is this something we have to automate or will it be done interactively?

From the sound of it, this problem is important but not urgent so we can move steadily on it, no rush ... ?

So what I did wouldn't tell me that? I thought it would, but maybe not.

Yeah, I tried troubleshooting with everything I knew before I posted here. I read a lot of posts on here where someone doesn't even try before posting, I know how that's irritating on some windows forums I help out on.

I think I might give Wireshark a go tonight since I didn't set it up right on Friday, then after looking at that info, will try renaming it to see what happens. I'd love to know what kind of traffic is going and I'm afraid if i rename it now i won't capture that tonight.

The transfers are happening when i'm offsite, and hopefully sleeping, its on a computer the late crew uses. You are right, important but not urgent, its been happening for over a year, which was before I started working here, so they can live with it for a while longer haha.

Interesting. It might be worth using the "last" command to see what grep found. From memory: If there's too much output, cut it down with

We don't know if it is data (=file) transfer yet; we only know it is network traffic.

When i did the last command, i get the following


but that username isn't who uses that workstation, its someone who uses another xp workstation, but they also have an ssh account on the server as well. I'm not sure what that file is for or what it shows.

and also, i just noticed the date, its from over a month ago.

Also, because its showing the ComputerName in there of that workstation, does that mean it was the actual computer name at that time, or just whatever the IP is resolving to now? I'm wondering if that other user really made an SSH connection from this problem workstation, or if he did it from an IP that's changed because of DHCP but is now resolving to the IP of that problem machine by coincidence?