Home »
Networking
»
Windows Networking
Summary: Network activity can happen for many reasons from expected to benign to malicious. There are free tools that allow you to easily see what's happening.
How can I tell what internet activity is happening on my machine?
•
With machines being more or less continuously connected to the internet these days it's easy to find that there are things going across your wire that perhaps you didn't realize or think about. Add malicious and semi-malicious code into the mix such as viruses and spyware, and understanding what's going on becomes even more important.
•
The good news is that there are tools, both included with Windows, and available for free on-line, that make monitoring your network fairly easy.
Most tools that come with Windows are command-line tools so you'll need to open up a Command prompt. We'll start first by determining the IP address of the machine you're currently on - that information will help you identify your own machine in some of the other tools later on. Type "ipconfig" and you should get output similar to this:
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
The IP address here is 192.168.1.107. Note: because I use a NAT router as my firewall that 192. address is not an actual address on the internet. That's part of the security a NET router provides - using NAT your IP address is specific to your local network - only the router actually sees your "real" internet address.
Netstat is a simple tool that will show you the currently open TCP/IP (internet protocol) connections. Type "netstat" and you should get output something like this:
Active Connections Proto Local Address Foreign Address State TCP LEO:1051 205.188.10.56:5190 ESTABLISHED TCP LEO:1059 hal-m021c.blue.aol.com:5190 ESTABLISHED TCP LEO:2387 baym-cs115.msgr.hotmail.com:1863 ESTABLISHED TCP LEO:4357 192.168.1.2:3389 ESTABLISHED
"LEO" is the name of my machine which as we saw above has the IP address 192.168.1.107 on my local network. The two lower entries here show connections to aol.com (I'm running AIM, AOL's Instant Messenger) and to msgr.hotmail.com (I'm also running MSN Messenger). The other two connections identified by only an IP address remain a mystery for the moment.
Now we'll move on to a freeware tool called TcpView from the folks as SysInternals. Download and run it and you'll get a window that shows you information very similar to netstat except with much more information that's continually updated.
Here you can see that the connections are listed along side the running program that initiated the connection. TcpView also does a better job of name resolution and we can see that our connection to AIM actually is using two TCP/IP connections including one of the mystery connections from above. "msnmsgr.exe" is MSN's instant messenger as we saw above. And we now also see that the remaining connection is generated by an application called MSTSC.EXE which is the Microsoft Terminal Services Client - also known as the Remote Desktop Client. I have a remote desktop connection to my laptop in another room and that's what this connection is all about.
So far we've only seen connections and not traffic. That's often enough to expose an application or spyware that's communicating over the net when you don't expect it.
This next tool will tell more about the conversations happening across those connections though it'll easily overwhelm you with data. TDIMon will show you every request being made across the network. It won't show you the data with each request but it will show you the application making it and a few other characteristics of the request.
When you run TDIMon you'll find that there's a lot of network activity even when you're doing nothing and even if you're not connected to the internet. "explorer.exe" will show up often, for example. This is because Windows will use the network to communicate not only across the internet but also with other machines on your local network and in some cases even with itself.
The best way to use TDIMon is to have it log it's output to a text file, an option that's found on TDIMon's File menu. Run it for a little while collecting data and then stop it and examine the log file with a text viewing utility such as notepad. You can probably ignore all the extra network protocol specific information unless that's something that interests you. Just by looking applications that are making requests and how many requests are being made can help identify where your network traffic is coming from and perhaps some specific applications to investigate further.
Article C1877 - January 5, 2004
LEO, may I suggest you update your great article with TDIScope as a replacement to TDIMon. I've been using it for a while and it works well. Google it for more info and download site.
Posted by: Roger at December 29, 2009 10:20 AMhttp://reconserver.com worked for me its free for 7 days so giver
Posted by: Ger at January 12, 2010 11:42 AMDo some programs 'mask' their presence from your network activity?
Posted by: Bob at January 18, 2010 1:56 AMI remember when I was back on dial-up, my connection kept switching off due to being "idle" for X mins, despite my instant messaging conversations throughout that period.
Thanx man!
Thanks to this article i found out that my download program was also uploading, which wasn't my purpose.
Bye!
Posted by: Jan-Joost at January 28, 2010 9:06 AMwaste,
no info abt how to find "why number of bytes transfer is high and
Posted by: sibi at July 16, 2010 6:25 PMno info abt how much bytes from each connection ,