Helping people with computers... one answer at a time.

Network activity can happen for many reasons from expected to benign to malicious. There are free tools that allow you to easily see what's happening.

How can I tell what internet activity is happening on my machine?

With machines being more or less continuously connected to the internet these days it's easy to find that there are things going across your wire that perhaps you didn't realize or think about. Add malicious and semi-malicious code into the mix such as viruses and spyware, and understanding what's going on becomes even more important.

The good news is that there are tools, both included with Windows, and available for free on-line, that make monitoring your network fairly easy.

Most tools that come with Windows are command-line tools so you'll need to open up a Command prompt. We'll start first by determining the IP address of the machine you're currently on - that information will help you identify your own machine in some of the other tools later on. Type "ipconfig" and you should get output similar to this:

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

The IP address here is 192.168.1.107. Note: because I use a NAT router as my firewall that 192. address is not an actual address on the internet. That's part of the security a NET router provides - using NAT your IP address is specific to your local network - only the router actually sees your "real" internet address.

Netstat is a simple tool that will show you the currently open TCP/IP (internet protocol) connections. Type "netstat" and you should get output something like this:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    LEO:1051               205.188.10.56:5190     ESTABLISHED
  TCP    LEO:1059               hal-m021c.blue.aol.com:5190  ESTABLISHED
  TCP    LEO:2387               baym-cs115.msgr.hotmail.com:1863  ESTABLISHED
  TCP    LEO:4357               192.168.1.2:3389       ESTABLISHED

"LEO" is the name of my machine which as we saw above has the IP address 192.168.1.107 on my local network. The two lower entries here show connections to aol.com (I'm running AIM, AOL's Instant Messenger) and to msgr.hotmail.com (I'm also running MSN Messenger). The other two connections identified by only an IP address remain a mystery for the moment.

Now we'll move on to a freeware tool called TcpView from the folks as SysInternals. Download and run it and you'll get a window that shows you information very similar to netstat except with much more information that's continually updated.

TcpView Screen Shot

Here you can see that the connections are listed along side the running program that initiated the connection. TcpView also does a better job of name resolution and we can see that our connection to AIM actually is using two TCP/IP connections including one of the mystery connections from above. "msnmsgr.exe" is MSN's instant messenger as we saw above. And we now also see that the remaining connection is generated by an application called MSTSC.EXE which is the Microsoft Terminal Services Client - also known as the Remote Desktop Client. I have a remote desktop connection to my laptop in another room and that's what this connection is all about.

So far we've only seen connections and not traffic. That's often enough to expose an application or spyware that's communicating over the net when you don't expect it.

This next tool will tell more about the conversations happening across those connections though it'll easily overwhelm you with data. TDIMon will show you every request being made across the network. It won't show you the data with each request but it will show you the application making it and a few other characteristics of the request.

When you run TDIMon you'll find that there's a lot of network activity even when you're doing nothing and even if you're not connected to the internet. "explorer.exe" will show up often, for example. This is because Windows will use the network to communicate not only across the internet but also with other machines on your local network and in some cases even with itself.

The best way to use TDIMon is to have it log it's output to a text file, an option that's found on TDIMon's File menu. Run it for a little while collecting data and then stop it and examine the log file with a text viewing utility such as notepad. You can probably ignore all the extra network protocol specific information unless that's something that interests you. Just by looking applications that are making requests and how many requests are being made can help identify where your network traffic is coming from and perhaps some specific applications to investigate further.

Article C1877 - January 5, 2004 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

60 Comments
michael
January 6, 2004 4:38 PM

Leo love the tip, but was just wondering how I could get the ms-dos window to 'freeze' long enough that I can actually see it, it just blinks by real fast. What does one need to add to the ipconfig string entered in Run command to get it to pause?

LeoN
January 6, 2004 4:49 PM

Open a command prompt by either Start->Programs->Accessories->Command Prompt. OR Start->Run and then "cmd". Now that you have an open command prompt enter the command you want to execute. If the information scrolls off the top of the command prompt, add "| more" to the command - for example "netstat | more". The "more" program pages the output one screen at a time.

Leo

Vinod
March 12, 2004 9:03 AM

I keep getting an error message,"The operating system is not presently configured to run this application". I close the messagebox and the next one keeps pops up. I uninstalled some program from Add/Remove programs.
What is the fix?

Leo
March 12, 2004 9:18 AM

Hard to say. Is that *all* the message says? No clue as to the name of what it's trying to run? At this point the symptoms you describe are general enough that it could be a virus or spyware or something else. I'd certainly scan for viruses and spyware and see if that doesn't resolve the problem.

Leo

sateesh
April 2, 2004 12:42 PM

Excellent web site.. I feel I learnt a lot of stuff from you.
I have a question regarding this one. When I say netstat, I get all the ACTIVE CONNECTIONS.
They are either in the state of ESTABLISHED/CLOSE_WAIT.
Is there any way to close some of those connections.
Thx for your answer in advance

Leo
April 2, 2004 5:19 PM

Actually tcpview, mentioned in the article, seems to have this ability. Right click on one of the connections is shows, and one of the options it "close". FWIW, most of the CLOSE_WAIT should close of their own accord over time.

Enjoy,

Leo

frustrated
May 18, 2004 8:18 PM

Hi
I have windows XP Home Edition running on Dell Dimension 4600 at home, i try to connect to Remote Desktop (Dell Optiplex with Windows XP professional) at work using Remote Desktop Connection, I am able to connect to the remote desktop, see the desktop window but the window is in a frozen state. i can't do anything how can i fix this ? please help me.

thanks
frustrated

Michael Leon
June 17, 2004 6:19 AM

I keep recieving an error on my other IP protocol not recognize i connect to internet and in minute it goes off,please help!

Leo
June 17, 2004 8:13 AM

Sorry, but I don't understand your question.

andru m
June 26, 2004 11:48 AM

Leo, I've got explorer opening A LOT of connections to my own machine 0:0:0:0 and many others. Liek on the order of 300 connections.
I'm sure this is a new virus, but no online checkers are able to snag it, and my own Freedom Virus Scanner hasn't caught it.
Any suggestions?
Thanks Andru

Leo
June 26, 2004 12:54 PM

That does sound suspicious. I'd run a spyware scan as well.

Rusty
November 16, 2004 6:18 AM

Excellent website.

Very helpful because the responses are translated
from geektalk, to plain english.

Thank you.

Rusty

mikemotorbike
November 22, 2004 9:19 AM

Is there any utulity which tells what program is making the connection (I know, TDI does this rudimentarily)? TDI mon has identifed a pgm, but it doesn't make sence: it's ZoneAlarm's own vsmon.exe, whose remote connection attempt is to a known spammer in mexico. I tried everything I can think to clean my system. (re-installing ZA, adaware, AV, blocking ports)(Blocking the IP in HW firewall arrests it, still, it bugs me!) Any tips?

mikemotorbike
November 23, 2004 10:08 AM

Re: above Q
Fixed! .
Solution: Unchecked the Connect to PROXY I had been experimenting with in Internet Connection Settings before trying Firefox a few days ago!

The final straw was when firefox TalkBalk applet used the mystery IP to connect (notified by ZoneAlarm) So I'm my own worst(enemy)hacker!

Search for rogue IP (as logged by ZA and TDImon) had revealed a known spammer, using that same Proxy! Processes configured to consult Windows Internet Connection Settings were using my self-configured proxy to connect to Internet.

Doh! THanks for the use of your Forum, though. -m

Murali
August 4, 2005 8:44 PM

Can you please explain me Uses of IP address and how can i connect a remote computer thru internet

Please do needfull

Thanks
Await u r reply

Krish
August 21, 2005 4:26 PM

Wanna knw is I can get the IP address of the person who is chatting with me???

Rachel
August 22, 2005 1:25 AM

Leo - thanks for you site. very interesting. I have a question for you. From home, I use a VPN to connect to the main network at work. Once I'm connected I have an RDP shortcut on my home desktop to connect to the computer in my office & other networks in the company. Once I get into the computer in my office I have more RDP shortcuts to different networks in the company. Tonight, I logged into my computer at work. Then when I clicked on one of the RDP shortcuts on my work desktop to connect to another network the screen froze (the particular network was down). I can't get back to my main desktop because the screen is froze. When I try to close the RDP connection that's froze, it closes the connection to my work desktop. All I'm getting is an hour glass. Right/click doesn't bring up any options & ctrl/alt/del just closes the whole connection. Any suggestions (short of driving down there & doing ctrl/alt/del? Thanks! Rachel (Washington)

Leo
August 22, 2005 7:48 AM

Not really. I do something similar, and it's a pain when the remote computer has crashed or is hung. Fortunately I can call someone to reboot it.

I'd disconnect (or kill in task manager) the local remote desktop connection, and try to reconnect. I'm guessing that will fail, and you, or someone you trust, will need to examine the remote machine and see why it's not responding.

Rachel
August 23, 2005 11:15 PM

Thanks Leo. I appreciate it. I couldn't figure it out from home so I went in early the next day to reboot. Turns out two servers were down. IT worked on it until about 11am. That reminds me... I need to write a "down time procedure" so employees in my department know what to do when our computer system is down. thanks again.

Lenny Moore
November 25, 2005 5:54 AM

A few months ago I tried to certify my installation of Windows XP with Microsoft online. Things went bad. In any event, since that time I have not been able to download Media Center guide information b/c the software tells me an internet connection can't be established. This also happens with Windows "Automatic Updates". I connect to the internet via a cable broadband connection. Any idea? Need additional information?

wilson
January 4, 2006 6:55 AM

how to connect with other system thru internet

Alex D-L
January 31, 2006 11:05 AM

Is it possible to find someone's internet history (what pages they've visited) if you have their IP address?

gary
February 5, 2006 10:32 AM

wen i run cmd type in netstat it dosnt show any connections nor dis tcpview any suggestions ????

sharan
February 24, 2006 4:50 AM

hi i am sharan i have one doubt i hope i will get the answer in my office we are using proxy server it acts as a default gateway of internet.i am carrying a laptop along with me i have to connect internet thru remote place how can i connect to my proxy server .

abc
March 31, 2006 11:39 AM

Thanks leo ur site really helps to understand what kind of security a person has...thanks for all the good work...hope u continue with all this!

nayan
April 4, 2006 3:40 AM

how to connect with other system thru internet
Is it possible to find someone's internet history (what pages they've visited) if you have their IP address?

when i am chating with my friend in chat room, how would i know which ip he is using

ana
May 25, 2006 12:23 AM

Hi, I have recently taken a broadband connection.I have Win 2000 Prof on my machine.I found that the number of packets sent were some 37,000 and teh no. of packets received was some 900.Whereas both the numbers should be almost the same.Can you please tell me why is it and how could I overcome this?

Lou Gascon
July 22, 2006 4:25 AM

Whilst reading 'Why might my network icon show constant activity?' I was directed to this very interesting page, and went ahead with your suggestions above...
Your 2nd suggestion using 'netstat' to find Active Connections perhaps proved fruitful, as I had an entry there marked:
TCP ~ FIREFOX:1790 ~ XORN.AWABER.COM:HTTP ~ CLOSE_WAIT
There was also localhost in and out...!
So, why was XORN.AWABER.COM:HTTP marked there...? When I have SP2 firewall, Prevx1, Lavasoft Adaware & Adwatch, Spyware Blaster and Spyware Doctor all active and in my Front Line of defence…?
Interestingly, I had a gander at XORN.AWABER.COM and found an association with Go Daddy, and when I'm sifting through my red list at the email site of my ISP, and in order to keep certain email addresses listed, I take the trouble to put the URL into my browser and see perhaps who might be sending... and it is very often a site associated with Go Daddy ~ therefore, I associate sites put up with Go Daddy as spammers or similar moronic slimeballs.
However, I’m now everso slightly confused, because I just went back to look again at the site and found something quite different…! [je sui stupid!]
I had actually previously put in xorn.AWABAR.com and not aweBER.com ~ so sorry for the confusion…
But, in looking at XORN.AWABER.COM, I found that the page comes in Maxthon browser without any bells and whistles or images and yet in Firefox browser, it appears with all its glory…! Why should that be…? Or am I confusing the issue…!

Thanx in advance
Lou

Lou_Gascon
July 22, 2006 8:11 AM

Sorry Leo,
In my post above I quoted XORN.AWABER.COM:HTTP as the entry ~ perhaps I had one glass too many last night. It should have read: XORN.AWEBER.COM:HTTP ...!
Since then however, I am now also getting SPLEEN.AWEBER.COM:HTTP ...!
bUT, http://xorn.aweber.com/ and http://spleen.aweber.com/ bring up the same site...?
Lou

Leo A. Notenboom
July 22, 2006 12:16 PM

aweber.com is the email provider I use to send my newsletter. If you're subscribed, then it's likely that a connection was made to aweber - they do that to track how many people actually open the newsletter email. "CLOSE_WAIT" simply means that the connection, which is breif to begin with, is in the process of being closed.

Lou_Gascon
July 24, 2006 4:53 AM

Thanks mate...
God, I think I'm suffering from paranoia. think I'd better buy us both a Latte
Lou

Grace Acker
September 20, 2006 1:14 PM

I want to see what sites have b een visited this past week, please. How can I find same?

Irv Raifman
October 8, 2006 10:45 AM

I would like my email address to be IrvRaifs@aol.com How can I get this done

David T
October 9, 2006 5:14 PM

Why is the IP address 192.168.1.107 keep trying to access my computer?

Leo Notenboom
October 9, 2006 5:18 PM

Good question. That's another machine on your *local* network. That IP address does not come from the internet.

Paula Decker
November 13, 2006 5:32 AM

Hello, When I run: netstat, I see: newkidonblock as the local machine name. Do I have a virus?

Laurel Sulca
December 5, 2006 6:39 PM

Hello! have a nice day... If I got the IP address of the workstation of a computer, how can I disconnect it so that the next user can not of my computer forsearching to the Internet. Can you gave me a simple codes in using Visual Basic 6.0.

tl
January 20, 2007 10:31 AM

my ex has got my ip address, what can he do with this information. he has got into all of my yahoo accounts and myspace and changed my personal information. someone told me that he can see everything i do on my pc, is that true and how do i stop him? thanks tl

Dee
February 4, 2007 5:36 AM

When I use the netstat at the command prompt, I get several responses that say in the foreign host column, "localhost:4568" (the numbers are always different). What is this?? I know what the other things that are running are, but not these, and it's making me nervous. Any help would be great.

Leo Notenboom
February 4, 2007 9:36 AM

Grab TCPView as outlined in the article. It'll tell you which processes have those connections.

Igor
March 3, 2007 9:01 AM

Using "ipconfig" typed in Run, I get a screen that flashes for a second or so and then disappears. What's going on with my machine?

Leo A. Notenboom
March 3, 2007 10:04 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nothing. Your machine is acting normally.

Have a look at this article:
http://ask-leo.com/when_i_use_startrun_and_type_in_a_command_why_does_a_window_just_flash_and_disappear.html

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF6bjiCMEe9B/8oqERAphaAKCDQ3xsWkPDX55NC51mJEECnfJARwCeIseQ
5hxiq6cKttdIWOoAOm8ApYk=
=kpYK
-----END PGP SIGNATURE-----

Lucian
March 21, 2007 12:11 PM

When you type netstat you will see all connections, including those to instant message programs, windows update, etc, but if you see the ip, you can use http://www.ipgp.net to know if it is known or something wrong happens on your computer.

Isac
March 29, 2007 2:33 PM

I know my IP Address, but how can i figure it out without checking on the net, wanna figure it out myself? More then that when i type into cmd window ipconfig it shows my ip address but thats not the address i get from the internet can someone explain please?

Leo Notenboom
March 29, 2007 7:14 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You're probably behind a router. Routers assign you a local
IP address, and then translate between that and your IP address
on the internet.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGDHJlCMEe9B/8oqERAuwrAJ9APbtvawrx/a6swQXlkNBNGTTMgQCeIJRy
8446u89v6qtVIk+/LZeRNT0=
=3dzP
-----END PGP SIGNATURE-----

M.Murali
October 26, 2007 2:32 AM

Its very user ful..............

Jeff Cox
January 10, 2008 10:23 AM

This is a very useful article but I was stopped at the point where I need to download TDIMon. This utility is no longer available on Microsoft's site and is not included in the Sysinternals Suite. Is there an alternate download available please?

Jeff Cox
January 21, 2008 8:49 AM

Leo - the link to TDIMon is broken as per my previous post. Is there another location for this utility please?

Leo A. Notenboom
January 22, 2008 5:50 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Unfortunately I was unable to find an official location for
it - it seems to have disappeared without a trace.

I changed the link to do a google search for it, and that's
showing several mirrors. As always, becareful where you
download from, scan for viruses, etc.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHlp1+CMEe9B/8oqERAlbvAJ9mNyvZrTxb3y1NQ6Fy/CYanqOdKgCeNjd3
VkEhm/QkYzPbfg0Ytnu5bNY=
=EkTh
-----END PGP SIGNATURE-----

Larry Wheatley
January 25, 2008 3:41 AM

Is there a program that will tell me what my computer is downloading when I have not told it to download anything?

B.S.Bohidar
September 6, 2009 6:41 AM

I am using windows 2003 server.How can i moniter internet activity on it?

Roger
December 29, 2009 10:20 AM

LEO, may I suggest you update your great article with TDIScope as a replacement to TDIMon. I've been using it for a while and it works well. Google it for more info and download site.

Ger
January 12, 2010 11:42 AM

http://reconserver.com worked for me its free for 7 days so giver

Bob
January 18, 2010 1:56 AM

Do some programs 'mask' their presence from your network activity?
I remember when I was back on dial-up, my connection kept switching off due to being "idle" for X mins, despite my instant messaging conversations throughout that period.

Jan-Joost
January 28, 2010 9:06 AM

Thanx man!
Thanks to this article i found out that my download program was also uploading, which wasn't my purpose.

Bye!

sibi
July 16, 2010 6:25 PM

waste,

no info abt how to find "why number of bytes transfer is high and
no info abt how much bytes from each connection ,

g
October 21, 2010 9:01 AM

does anyone have the application that use
command-line for getting what the internet activities?

Dan
April 19, 2011 1:53 AM

Sometimes you get a virus or spyware loaded into your computer without knowing it and it's really hard to find. The programs you mention in your article help see what is going on in real time, but some folks may have already gotten some malware and are faced with that problem already. I had found a free program called SuperAntiSpyware and took a chance and tried it.
It really "did" work wonderful and corrected my problem that I already had with malware. Now, thanks to your information, I am able to watch for things like that in real time before things may get to that situation once again.

Nilesh Mali
January 15, 2012 11:26 AM

How can i tell what files are being uploaded or downloaded by particular application, onto the system from internet?

A fairly geeky tool called Process Monitor can do that. Doing so can be complex, though.
Leo
15-Jan-2012
Nilesh Mali
January 16, 2012 6:29 AM

Hello There,

I'm using the same i.e. sysinternals PROCMON.EXE, but came to the following points-
i) A running process can write to file while its installation
ii) A running process can download packet and write the data of packet to a file.
So exactly how do I predict whether it is downloading file or copying/writing contents of other file to target file?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.