Helping people with computers... one answer at a time.
Network activity can happen for many reasons from expected to benign to malicious. There are free tools that allow you to easily see what's happening.
How can I tell what internet activity is happening on my machine?
•
With machines being more or less continuously connected to the internet these days it's easy to find that there are things going across your wire that perhaps you didn't realize or think about. Add malicious and semi-malicious code into the mix such as viruses and spyware, and understanding what's going on becomes even more important.
•
The good news is that there are tools, both included with Windows, and available for free on-line, that make monitoring your network fairly easy.
Most tools that come with Windows are command-line tools so you'll need to open up a Command prompt. We'll start first by determining the IP address of the machine you're currently on - that information will help you identify your own machine in some of the other tools later on. Type "ipconfig" and you should get output similar to this:
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
The IP address here is 192.168.1.107. Note: because I use a NAT router as my firewall that 192. address is not an actual address on the internet. That's part of the security a NET router provides - using NAT your IP address is specific to your local network - only the router actually sees your "real" internet address.
Netstat is a simple tool that will show you the currently open TCP/IP (internet protocol) connections. Type "netstat" and you should get output something like this:
Active Connections Proto Local Address Foreign Address State TCP LEO:1051 205.188.10.56:5190 ESTABLISHED TCP LEO:1059 hal-m021c.blue.aol.com:5190 ESTABLISHED TCP LEO:2387 baym-cs115.msgr.hotmail.com:1863 ESTABLISHED TCP LEO:4357 192.168.1.2:3389 ESTABLISHED
"LEO" is the name of my machine which as we saw above has the IP address 192.168.1.107 on my local network. The two lower entries here show connections to aol.com (I'm running AIM, AOL's Instant Messenger) and to msgr.hotmail.com (I'm also running MSN Messenger). The other two connections identified by only an IP address remain a mystery for the moment.
Now we'll move on to a freeware tool called TcpView from the folks as SysInternals. Download and run it and you'll get a window that shows you information very similar to netstat except with much more information that's continually updated.
Here you can see that the connections are listed along side the running program that initiated the connection. TcpView also does a better job of name resolution and we can see that our connection to AIM actually is using two TCP/IP connections including one of the mystery connections from above. "msnmsgr.exe" is MSN's instant messenger as we saw above. And we now also see that the remaining connection is generated by an application called MSTSC.EXE which is the Microsoft Terminal Services Client - also known as the Remote Desktop Client. I have a remote desktop connection to my laptop in another room and that's what this connection is all about.
So far we've only seen connections and not traffic. That's often enough to expose an application or spyware that's communicating over the net when you don't expect it.
This next tool will tell more about the conversations happening across those connections though it'll easily overwhelm you with data. TDIMon will show you every request being made across the network. It won't show you the data with each request but it will show you the application making it and a few other characteristics of the request.
When you run TDIMon you'll find that there's a lot of network activity even when you're doing nothing and even if you're not connected to the internet. "explorer.exe" will show up often, for example. This is because Windows will use the network to communicate not only across the internet but also with other machines on your local network and in some cases even with itself.
The best way to use TDIMon is to have it log it's output to a text file, an option that's found on TDIMon's File menu. Run it for a little while collecting data and then stop it and examine the log file with a text viewing utility such as notepad. You can probably ignore all the extra network protocol specific information unless that's something that interests you. Just by looking applications that are making requests and how many requests are being made can help identify where your network traffic is coming from and perhaps some specific applications to investigate further.
Article C1877 - January 5, 2004 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
July 16, 2010 6:25 PM
waste,
no info abt how to find "why number of bytes transfer is high and
no info abt how much bytes from each connection ,
October 21, 2010 9:01 AM
does anyone have the application that use
command-line for getting what the internet activities?
April 19, 2011 1:53 AM
Sometimes you get a virus or spyware loaded into your computer without knowing it and it's really hard to find. The programs you mention in your article help see what is going on in real time, but some folks may have already gotten some malware and are faced with that problem already. I had found a free program called SuperAntiSpyware and took a chance and tried it.
It really "did" work wonderful and corrected my problem that I already had with malware. Now, thanks to your information, I am able to watch for things like that in real time before things may get to that situation once again.
January 15, 2012 11:26 AM
How can i tell what files are being uploaded or downloaded by particular application, onto the system from internet?
15-Jan-2012
January 16, 2012 6:29 AM
Hello There,
I'm using the same i.e. sysinternals PROCMON.EXE, but came to the following points-
i) A running process can write to file while its installation
ii) A running process can download packet and write the data of packet to a file.
So exactly how do I predict whether it is downloading file or copying/writing contents of other file to target file?