How can I tell what internet activity is happening on my machine?

Home » Networking » Windows Networking

Summary: Network activity can happen for many reasons from expected to benign to malicious. There are free tools that allow you to easily see what's happening.

With machines being more or less continuously connected to the internet these days it's easy to find that there are things going across your wire that perhaps you didn't realize or think about. Add malicious and semi-malicious code into the mix such as viruses and spyware, and understanding what's going on becomes even more important.

•

The good news is that there are tools, both included with Windows, and available for free on-line, that make monitoring your network fairly easy.

Most tools that come with Windows are command-line tools so you'll need to open up a Command prompt. We'll start first by determining the IP address of the machine you're currently on - that information will help you identify your own machine in some of the other tools later on. Type "ipconfig" and you should get output similar to this:

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

The IP address here is 192.168.1.107. Note: because I use a NAT router as my firewall that 192. address is not an actual address on the internet. That's part of the security a NET router provides - using NAT your IP address is specific to your local network - only the router actually sees your "real" internet address.

Netstat is a simple tool that will show you the currently open TCP/IP (internet protocol) connections. Type "netstat" and you should get output something like this:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    LEO:1051               205.188.10.56:5190     ESTABLISHED
  TCP    LEO:1059               hal-m021c.blue.aol.com:5190  ESTABLISHED
  TCP    LEO:2387               baym-cs115.msgr.hotmail.com:1863  ESTABLISHED
  TCP    LEO:4357               192.168.1.2:3389       ESTABLISHED

"LEO" is the name of my machine which as we saw above has the IP address 192.168.1.107 on my local network. The two lower entries here show connections to aol.com (I'm running AIM, AOL's Instant Messenger) and to msgr.hotmail.com (I'm also running MSN Messenger). The other two connections identified by only an IP address remain a mystery for the moment.

Now we'll move on to a freeware tool called TcpView from the folks as SysInternals. Download and run it and you'll get a window that shows you information very similar to netstat except with much more information that's continually updated.

Here you can see that the connections are listed along side the running program that initiated the connection. TcpView also does a better job of name resolution and we can see that our connection to AIM actually is using two TCP/IP connections including one of the mystery connections from above. "msnmsgr.exe" is MSN's instant messenger as we saw above. And we now also see that the remaining connection is generated by an application called MSTSC.EXE which is the Microsoft Terminal Services Client - also known as the Remote Desktop Client. I have a remote desktop connection to my laptop in another room and that's what this connection is all about.

So far we've only seen connections and not traffic. That's often enough to expose an application or spyware that's communicating over the net when you don't expect it.

This next tool will tell more about the conversations happening across those connections though it'll easily overwhelm you with data. TDIMon will show you every request being made across the network. It won't show you the data with each request but it will show you the application making it and a few other characteristics of the request.

When you run TDIMon you'll find that there's a lot of network activity even when you're doing nothing and even if you're not connected to the internet. "explorer.exe" will show up often, for example. This is because Windows will use the network to communicate not only across the internet but also with other machines on your local network and in some cases even with itself.

The best way to use TDIMon is to have it log it's output to a text file, an option that's found on TDIMon's File menu. Run it for a little while collecting data and then stop it and examine the log file with a text viewing utility such as notepad. You can probably ignore all the extra network protocol specific information unless that's something that interests you. Just by looking applications that are making requests and how many requests are being made can help identify where your network traffic is coming from and perhaps some specific applications to investigate further.

Article C1877 - January 5, 2004