I've got a print server in our Windows 2003 domain with a lot of print queues on it. We are seeing a significant amount of SNMP scans coming from this server which we think are unnecessary. Everything related to the print server itself is functioning fine, but the network team would like the scans to stop.
We can see the scans as they happen on the switch. I have installed Wireshark and can see the scans happen as well. I can see programs that are listening for connections via things like CurrPorts.
This server has had several maintainers over the years. There are residual drivers and things that don't need to be there. Unfortunately I can't do anything too drastic to clean things up or clean install the server because it is our primary print server our network relies on. We have plans to replace it within the next year or two.
So my question is….
How can I pinpoint which program/process on the Windows 2003 server is generating the SNMP scans?
Best Answer
I'd strongly suspect that the Print Spooler service (spoolsv.exe) is doing this because it's probably configured to do so. W/o a deeper description of the traffic (subnet-wide probes, or queries directed at individual printer devices) it's difficult to say. My gut says that if you examine the "Configure Port" properties of any "Standard TCP/IP Port" entries in the "Ports" tab of the "Server Properties" of the "Prnters and Faxes" dialog you'll find out that "SNMP Status Enabled" is checked.
Failing that, using "netstat -b" or "netstat -o" is the way to go, though with SNMP being what it is the sockets are probably going to close so quickly that you'll have trouble catching them.
Edit:
Here's that script.