Identifying the Source of the Traffic

Couple of days ago I was assisting a friend to troubleshoot the infamous 5783 that was causing the authentication prompt issue that we all know about. In this case the problem was happening throughout the night, which was even odder because during the day when the traffic was really high the issue wasn’t happen. The employees on the third shift (which was no more than 20) were receiving authentication prompts randomly.

The question was: how to get data on this type of case? We don’t know what time it occurs and we don’t have IT people on that time to collect data. We installed a tool called Port Reporter tool that runs as a service and collects pretty much all the information about process and which port is using during that time. Read https://support.microsoft.com/kb/837243 for more information on how to use this amazing tool.

It boils down that the issue was a piece of malware on those workstations that were sending tons of request to an external URL and drastically affecting ISA Server’s performance.