Ask Leo! by Leo A. Notenboom

How can I tell what internet activity is happening on my machine?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Home » Networking » Windows Networking

Summary: Network activity can happen for many reasons from expected to benign to malicious. There are free tools that allow you to easily see what's happening.

How can I tell what internet activity is happening on my machine?

With machines being more or less continuously connected to the internet these days it's easy to find that there are things going across your wire that perhaps you didn't realize or think about. Add malicious and semi-malicious code into the mix such as viruses and spyware, and understanding what's going on becomes even more important.

The good news is that there are tools, both included with Windows, and available for free on-line, that make monitoring your network fairly easy.

Most tools that come with Windows are command-line tools so you'll need to open up a Command prompt. We'll start first by determining the IP address of the machine you're currently on - that information will help you identify your own machine in some of the other tools later on. Type "ipconfig" and you should get output similar to this:

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

The IP address here is 192.168.1.107. Note: because I use a NAT router as my firewall that 192. address is not an actual address on the internet. That's part of the security a NET router provides - using NAT your IP address is specific to your local network - only the router actually sees your "real" internet address.

Netstat is a simple tool that will show you the currently open TCP/IP (internet protocol) connections. Type "netstat" and you should get output something like this:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    LEO:1051               205.188.10.56:5190     ESTABLISHED
  TCP    LEO:1059               hal-m021c.blue.aol.com:5190  ESTABLISHED
  TCP    LEO:2387               baym-cs115.msgr.hotmail.com:1863  ESTABLISHED
  TCP    LEO:4357               192.168.1.2:3389       ESTABLISHED

"LEO" is the name of my machine which as we saw above has the IP address 192.168.1.107 on my local network. The two lower entries here show connections to aol.com (I'm running AIM, AOL's Instant Messenger) and to msgr.hotmail.com (I'm also running MSN Messenger). The other two connections identified by only an IP address remain a mystery for the moment.

Now we'll move on to a freeware tool called TcpView from the folks as SysInternals. Download and run it and you'll get a window that shows you information very similar to netstat except with much more information that's continually updated.

TcpView Screen Shot

Here you can see that the connections are listed along side the running program that initiated the connection. TcpView also does a better job of name resolution and we can see that our connection to AIM actually is using two TCP/IP connections including one of the mystery connections from above. "msnmsgr.exe" is MSN's instant messenger as we saw above. And we now also see that the remaining connection is generated by an application called MSTSC.EXE which is the Microsoft Terminal Services Client - also known as the Remote Desktop Client. I have a remote desktop connection to my laptop in another room and that's what this connection is all about.

So far we've only seen connections and not traffic. That's often enough to expose an application or spyware that's communicating over the net when you don't expect it.

This next tool will tell more about the conversations happening across those connections though it'll easily overwhelm you with data. TDIMon will show you every request being made across the network. It won't show you the data with each request but it will show you the application making it and a few other characteristics of the request.

When you run TDIMon you'll find that there's a lot of network activity even when you're doing nothing and even if you're not connected to the internet. "explorer.exe" will show up often, for example. This is because Windows will use the network to communicate not only across the internet but also with other machines on your local network and in some cases even with itself.

The best way to use TDIMon is to have it log it's output to a text file, an option that's found on TDIMon's File menu. Run it for a little while collecting data and then stop it and examine the log file with a text viewing utility such as notepad. You can probably ignore all the extra network protocol specific information unless that's something that interests you. Just by looking applications that are making requests and how many requests are being made can help identify where your network traffic is coming from and perhaps some specific applications to investigate further.

Article C1877 - January 5, 2004

Helpful? Get new articles weekly by email in my FREE newsletter!

Your Name:
Your Email:


Why Subscribe?

Recent Comments
51 Comments

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nothing. Your machine is acting normally.

Have a look at this article:
http://ask-leo.com/when_i_use_startrun_and_type_in_a_command_why_does_a_window_just_flash_and_disappear.html

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF6bjiCMEe9B/8oqERAphaAKCDQ3xsWkPDX55NC51mJEECnfJARwCeIseQ
5hxiq6cKttdIWOoAOm8ApYk=
=kpYK
-----END PGP SIGNATURE-----

Posted by: Leo A. Notenboom at March 3, 2007 10:04 AM

When you type netstat you will see all connections, including those to instant message programs, windows update, etc, but if you see the ip, you can use http://www.ipgp.net to know if it is known or something wrong happens on your computer.

Posted by: Lucian at March 21, 2007 12:11 PM

I know my IP Address, but how can i figure it out without checking on the net, wanna figure it out myself? More then that when i type into cmd window ipconfig it shows my ip address but thats not the address i get from the internet can someone explain please?

Posted by: Isac at March 29, 2007 2:33 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You're probably behind a router. Routers assign you a local
IP address, and then translate between that and your IP address
on the internet.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGDHJlCMEe9B/8oqERAuwrAJ9APbtvawrx/a6swQXlkNBNGTTMgQCeIJRy
8446u89v6qtVIk+/LZeRNT0=
=3dzP
-----END PGP SIGNATURE-----

Posted by: Leo Notenboom at March 29, 2007 7:14 PM

Its very user ful..............

Posted by: M.Murali at October 26, 2007 2:32 AM

This is a very useful article but I was stopped at the point where I need to download TDIMon. This utility is no longer available on Microsoft's site and is not included in the Sysinternals Suite. Is there an alternate download available please?

Posted by: Jeff Cox at January 10, 2008 10:23 AM

Leo - the link to TDIMon is broken as per my previous post. Is there another location for this utility please?

Posted by: Jeff Cox at January 21, 2008 8:49 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Unfortunately I was unable to find an official location for
it - it seems to have disappeared without a trace.

I changed the link to do a google search for it, and that's
showing several mirrors. As always, becareful where you
download from, scan for viruses, etc.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHlp1+CMEe9B/8oqERAlbvAJ9mNyvZrTxb3y1NQ6Fy/CYanqOdKgCeNjd3
VkEhm/QkYzPbfg0Ytnu5bNY=
=EkTh
-----END PGP SIGNATURE-----

Posted by: Leo A. Notenboom at January 22, 2008 5:50 PM

Is there a program that will tell me what my computer is downloading when I have not told it to download anything?

Posted by: Larry Wheatley at January 25, 2008 3:41 AM

I am using windows 2003 server.How can i moniter internet activity on it?

Posted by: B.S.Bohidar at September 6, 2009 6:41 AM

Post a comment on "How can I tell what internet activity is happening on my machine?":






(Email Address will not be published.)

Remember Me?

By popular demand...
my tip jar
Cuppa Joe
Buy Leo a Latte!

(you may use HTML tags for style)

RSS feed Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

  • Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.

  • Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.

  • Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.

  • Don't spam. Excessive links to unrelated sites within a comment or across multiple comments will cause all such comments to be removed.

  • Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

  • I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Please wait. Your comment is being processed ...


Question? Ask Leo!