Helping people with computers... one answer at a time.

It's not at all uncommon for your network to be busy even if you're not. We'll look at why, and what you might do to investigate should you need to.

I have noticed that when I log on the Wireless Network Connection Status Window shows that the packets leaving my computer almost equal the packets entering the computer, even though I am not uploading any files. Is this an indication that a keystroke logger or similar malware is exporting files from my computer, also is there any way that I can monitor the actual data content that is leaving my machine?

The network is a busy place, even when you're doing nothing at all. It's not necessarily the sign of something bad, and not something most people even notice.

Depending on just how detailed - and geeky - you want to get, there are tools that will let you monitor what's happening to varying degrees - all free.

Aside from the programs that you already know actually use the network to do whatever it is they do, there are two common reasons you may see activity on your local network.

There are network services and protocols that just occur. Part of the service that they're providing might involve periodically polling the network for machines or other resources, or perhaps broadcasting information to other machines on the net. It just happens.

And then it seems like every program you run, and even a few you didn't run but are still running anyway, wants to connect to the net to check for updates. The obvious cases are programs that check for updates when you start them, like perhaps FireFox. But other programs - and services - not only periodically check in the background for updates, but will often actually download those updates without any visual indication until those updates are ready to install. The most obvious clue that they're downloading at all might be a slight decrease in network performance.

"... even when your machine is 'doing nothing', it's very likely - even expected - that there will be some network activity."

If you're connected to the internet directly, things get a little more sinister. The term "internet background noise" has been coined to refer to the fairly constant stream of random attempts at communication - and yes, hacking - that are fairly consistent on any internet connection. There are machines that, for example, are infected with viruses and are simply out trying every internet IP address they can find to propagate their malware. That's one of the reasons that firewalls are so important.

So, how do you find out what's up on your machine and whether or not you should be concerned?

There are four tools I'm going to tell you about, starting with the simplest and working up to the geekiest - and of course the amount of information available to you will increase at each step of the way.

TCPView

TCPView

TCPView will allow you to see what TCP/IP connections your machine has. For example, if you have Windows Live Messenger open, you'll likely see a connection from your machine to an IP address that belongs to Microsoft's Windows Live Messenger Service. Periodically, Messenger communicates with the service as messages are sent or received, but the connection remains "open", and thus connected, whether you're actively IMing or not.

TCPView won't tell you what's happening, it'll just tell you which program on your machine is talking to what server out on the internet (or perhaps, what other machine on your local area network).

Process Explorer

Process Explorer will do many, many things, and there are two things of interest relating to network connections.

With Process Explorer open, right click on a process that you know has internet connections, and click on Properties, and then click on the TCP/IP tab.

Process Explorer examining the TCP/IP connections of a process

Much like TCPView, but at the process level.

Also at the process level, click on the Performance Graph tab:

Process Explorer examining the Performance Graph of a process

In addition to the CPU Usage for this process, and the "Private Bytes" or memory usage, you'll see a graph for I/O (for Input/Output) Bytes History. Many, if not most applications that connect to the internet do so in a way that causes their traffic to be classified as I/O. Now, both disk and network traffic are represented here combined, but this can be a quick way to see if a specific application is potentially communicating more than you might expect it to.

Now things get a tad geekier.

Process Monitor

So far the tools we've been using typically show only the current state of your machine - what your processes are connected to. At best, we've seen only a graph of combined traffic. While that's interesting (and simple) it's not really telling us exactly what's happening to any detail.

Process Monitor works a little differently. Essentially you turn it loose to record data for a while, and then using various filters and other techniques you can scan that data for the pieces of interest.

Example of Process Monitor

In the above example I had Process Monitor filter showing only events from the "trillian.exe" process, and only those events that related to "TCP". As you can see, it's a fairly detailed listing of a lot of activity, over just a few seconds time. In fact, Process Monitor can generate an overwhelming amount of data. Unfortunately, using it effectively is beyond the scope of this article. If you want to give Process Monitor a try, I recommend a two step approach:

  • Run it once with its default filters, for just a few seconds. Perhaps do something that you know will generate some internet traffic while it's running. Spend some time reviewing the massive amount of data collected.

  • Now, spend a few minutes investigating the filtering options, and either re-run Process Monitor, or filter the data you've collected, as I have, to narrow the focus to the actual data you're interested in.

Once again, Process Monitor has shown us a deeper level of activity - specific events and actions - but it still hasn't shown us exactly what data is being transmitted and received.

It's time to get geekier still.

WireShark

WireShark is a software network protocol analyzer. What that means in English is that it's a tool that lets you see everything that's being transmitted to and from your machine in excruciating detail.

WireShark display window

WireShark works in many ways like Process Monitor: you run it for a while and it captures all your network traffic for analysis. After the capture, you can use its display and filtering tools to narrow down what's shown to the specific network data packets of interest.

WireShark is not for the faint of heart. It's really something that's going to be most useful for someone who's fairly geeky and has a basic understanding of some networking and network protocol concepts.

But it's incredibly powerful.

In Practice

I've never had to resort to WireShark to diagnose a network problem. Typically using process explorer, or perhaps process monitor to identify which process is actually using the network, and to what degree is enough to diagnose a "what's going on?" kind of situation without actually needing to sniff the data being sent.

And the bottom line is that even when your machine is "doing nothing", it's very likely - even expected - that there will be some network activity.

Article C4123 - January 15, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

10 Comments
Andy
January 19, 2010 1:41 PM

I have to say that Firefox does not have the second "f" capitalized.
Good article though.

JOHN FORD
January 19, 2010 2:22 PM

as a new comer to your site,i'm finding articals helpful,answering my questions before i submit them,thank you Leo

john pennington
January 19, 2010 2:25 PM

Hi Leo, Is there a way to lock out incoming online or pinging. My computer is being accesses by a x roommate and I would like to stop his access. Thank you for your time and help
John Pennington

That's what firewalls are for. What's a firewall, and how do I set one up?
Leo
20-Jan-2010

TPBUSA
January 19, 2010 3:16 PM

Great article an thanks for the new tools/toys I now get to play with. lol Also, who gives a crapola if FIREFOX has 2 Fs capitalized or not. It doesnt even have anything to do with your article. Just a FireFOX fanboy, worse than the Apple fanboy/creeps who stalk websites like this.

Robin Clay
January 20, 2010 11:40 AM

The original question was based around:-
"the packets leaving my computer almost equal the packets entering the computer, even though I am not uploading any files" - which you omitted to address !

As I understand it, he's right, and, in simple terms that even I can understand, the conversation goes something like this:-
Server: "Here, Buddy, this is for you - ready?"
PC: "Yup. Send it."
Server: "It went. Did you get it OK ?"
PC: "Yup. Send more."
Server: "It went. Did you get it OK ?"
PC: "Yup. Send more."......
Server: "It went. Did you get it OK ?"
PC: "Nope. Try it agian."
Server: "It went. Did you get it OK ?"
PC: "Yup. Send more."

i.e., EVERY packet has a reply, though obviously not as big. That is why usually (or it used to be the case) upload speeds are set FAR slower than download speeds.

Tell me if I'm wrong ?

Have a good trip !

Richard
January 21, 2010 2:08 AM

I get a similar list directly from the command window:

netstat

Now when I do a Netstat while visiting Ask-Leo.com
I get a pile of these:

a96-17-8-75.deploy.akamaitechnologies.com

what exactly are they trying to deploy onto my machine?
I know that's just part of the "address"
but they didn't choose deploy for no good reason

(The GUI looks like a good Idea for enhanced nitpicking through the connections though)

Michael Horowitz
January 21, 2010 9:58 PM

@robin: You are correct in concept, but not in the details. It's been a long time since I learned about this, but the server sends many packets before the PC responds with an "I got it". More specifically, the PC responds with "the last packet I got was number 12345". It would be far too inefficient for the PC to respond to each packet from the server. There's buffering going on.

Also, this only applies to TCP, not to UDP.

Jim Trammell
January 22, 2010 8:04 PM

Thanks for the artcle. I played the asnyc/bysinc
game a few years ago while I managed masses of data for AT&T. It's a field all by itself.
Thank you
Jim

Vaibhav
December 20, 2010 1:57 AM

@Richard - That's nothing but an internal Akamai naming convention. That means you are connected to 96.17.8.75.

8ohmh
June 8, 2012 3:29 PM

Hello,

I have currently a big problem on my desktop: A malware is sending netios connection requests to several IPs. I detected this only by Wireshark. Neither ProcessExp nor TCPView couldn't detect it - (Seems that it is a hidden driver or the netcard driver has been patched ) How can I track down those connections from wireshark view to a process?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.