Possible hidden network traffic

[liderbug]

Starting here because I don't where else to start. We have a 12M Qwest DSL line, PK5000. There is my computer, Linux FC13, my wife's computer M$ W7. I can run the Qwest DSL Speed test and get 10+ (ok, I'm getting shortchanged but I'll take that up with them). After a minute or two when my wife boots her computer she starts eating up 40% of the bandwidth. Her light on the PK5000 is non-stop running. When I run the speed test I get 6.2 - step over and unplug her cable and I get 10.2. She has AVG, MalwareBytes and Windows Defender running but I'm concerned she's been hijacked and is pumping spam. My tcpdump shows a lot of sher.ssdp > 239.255.255.250.ssdp traffic. Google doesn't seem to think it's a big deal. And it seems that when her computer is in use the bandwidth is ok - then about a minute (or 2) later(idle) ... here we go again. I just loaded ettercap but so far it doesn't show what is causing here light to run so hard. Advise?
Thanks
Chuck

[AndrewSerk]

If you have two network cards in your F13 box you could put your F13 box between the DSL modem and your MS7 box and use wireshark to capture packets and see what is being transferred.

[William Haller]

Is it possible that at boot her computer is downloading all the new AVG, and the like updates as well as checking for W7 updates and is thus network intensive for a bit? I'd go with the gateway test Andrew Serk mentioned and run wireshark to see what is really going on.

[stevea]

If you don't have a second enet ofr a hub (not switch), then put wireshark on the Win PC and "shark" the packets. You want to see what is happening.

[liderbug]

I think I've got it fixed - time will tell.

239.255.255.250 SSDP NOTIFY - the only traffic on the her box - over & over & over.....

1. Start Registry Editor (Regedt32.exe).
2. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlayNA THelp\DPNHUPnP
3. On the Edit menu, click Add Value, and then add the following registry value:
Value name: UPnPMode
Data type: REG_DWORD
Value data: 2 ---- although another page said set to 0 so I did
4. Quit Registry Editor.

at least it "seems" to be a whole lot better.

Thanks for the wireshark - it did the trick.