Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How can I tell what internet activity is happening on my machine?

How can I tell what internet activity is happening on my machine?

With machines being more or less continuously connected to the
internet these days it’s easy to find that there are things going
across your wire that perhaps you didn’t realize or think about. Add
malicious and semi-malicious code into the mix such as viruses and
spyware, and understanding what’s going on becomes even more
important.

Become a Patron of Ask Leo! and go ad-free!

The good news is that there are tools, both included with
Windows, and available for free on-line, that make monitoring your
network fairly easy.

Most tools that come with Windows are command-line tools so you’ll
need to open up a Command prompt. We’ll start first by determining the IP address of the machine you’re
currently on – that information will help you identify your own machine
in some of the other tools later on. Type “ipconfig” and you
should get output similar to this:

Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

The IP address here is 192.168.1.107. Note: because I use a
NAT router as my firewall that 192. address is not an actual address
on the internet. That’s part of the security a NET router provides –
using NAT your IP address is specific to your local network – only the
router actually sees your “real” internet address.

Netstat is a simple tool that will show you the currently open
TCP/IP (internet protocol) connections. Type “netstat” and you should
get output something like this:

Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    LEO:1051               205.188.10.56:5190     ESTABLISHED
  TCP    LEO:1059               hal-m021c.blue.aol.com:5190  ESTABLISHED
  TCP    LEO:2387               baym-cs115.msgr.hotmail.com:1863  ESTABLISHED
  TCP    LEO:4357               192.168.1.2:3389       ESTABLISHED

“LEO” is the name of my machine which as we saw above has the IP
address 192.168.1.107 on my local network. The two lower entries here
show connections to aol.com (I’m running AIM, AOL’s Instant Messenger)
and to msgr.hotmail.com (I’m also running MSN Messenger). The other two
connections identified by only an IP address remain a mystery for the
moment.

Now we’ll move on to a freeware tool called
TcpView from the folks as SysInternals.
Download and run it and you’ll get a window that shows you information
very similar to netstat except with much more information
that’s continually updated.

TcpView Screen Shot

Here you can see that the connections are listed along side the
running program that initiated the connection. TcpView also does a
better job of name resolution and we can see that our connection to
AIM actually is using two TCP/IP connections including one of the
mystery connections from above. “msnmsgr.exe” is MSN’s instant
messenger as we saw above. And we now also see that the remaining
connection is generated by an application called MSTSC.EXE which is
the Microsoft Terminal Services Client – also known as the Remote
Desktop Client. I have a remote desktop connection to my laptop in
another room and that’s what this connection is all about.

So far we’ve only seen connections and not traffic. That’s often
enough to expose an application or spyware that’s communicating over
the net when you don’t expect it.

This next tool will tell more about the conversations happening
across those connections though it’ll easily overwhelm you with data.
TDIMon will show you every request being made
across the network. It won’t show you the data with each request but
it will show you the application making it and a few other
characteristics of the request.

When you run TDIMon you’ll find that there’s a lot of network
activity even when you’re doing nothing and even if you’re not
connected to the internet. “explorer.exe” will show up often, for
example. This is because Windows will use the network to communicate
not only across the internet but also with other machines on your
local network and in some cases even with itself.

The best way to use TDIMon is to have it log it’s output to a text
file, an option that’s found on TDIMon’s File menu. Run it for a little
while collecting data and then stop it and examine the log file with a
text viewing utility such as notepad. You can probably ignore all the extra
network protocol specific information unless that’s something that interests
you. Just by looking applications that are making requests and how many
requests are being made can help identify where your network traffic is coming
from and perhaps some specific applications to investigate further.

Subscribe to Confident Computing! Tech problem solving & safety tips with a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my FREE special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

No strings. No email. Here's the direct download. (Just right-click and "Save As...".)

59 comments on “How can I tell what internet activity is happening on my machine?”

  1. Leo love the tip, but was just wondering how I could get the ms-dos window to ‘freeze’ long enough that I can actually see it, it just blinks by real fast. What does one need to add to the ipconfig string entered in Run command to get it to pause?

    Reply
  2. Open a command prompt by either Start->Programs->Accessories->Command Prompt. OR Start->Run and then “cmd”. Now that you have an open command prompt enter the command you want to execute. If the information scrolls off the top of the command prompt, add “| more” to the command – for example “netstat | more”. The “more” program pages the output one screen at a time.

    Leo

    Reply
  3. I keep getting an error message,”The operating system is not presently configured to run this application”. I close the messagebox and the next one keeps pops up. I uninstalled some program from Add/Remove programs.
    What is the fix?

    Reply
  4. Hard to say. Is that *all* the message says? No clue as to the name of what it’s trying to run? At this point the symptoms you describe are general enough that it could be a virus or spyware or something else. I’d certainly scan for viruses and spyware and see if that doesn’t resolve the problem.

    Leo

    Reply
  5. Excellent web site.. I feel I learnt a lot of stuff from you.
    I have a question regarding this one. When I say netstat, I get all the ACTIVE CONNECTIONS.
    They are either in the state of ESTABLISHED/CLOSE_WAIT.
    Is there any way to close some of those connections.
    Thx for your answer in advance

    Reply
  6. Actually tcpview, mentioned in the article, seems to have this ability. Right click on one of the connections is shows, and one of the options it “close”. FWIW, most of the CLOSE_WAIT should close of their own accord over time.

    Enjoy,

    Leo

    Reply
  7. Hi
    I have windows XP Home Edition running on Dell Dimension 4600 at home, i try to connect to Remote Desktop (Dell Optiplex with Windows XP professional) at work using Remote Desktop Connection, I am able to connect to the remote desktop, see the desktop window but the window is in a frozen state. i can’t do anything how can i fix this ? please help me.

    thanks
    frustrated

    Reply
  8. I keep recieving an error on my other IP protocol not recognize i connect to internet and in minute it goes off,please help!

    Reply
  9. Leo, I’ve got explorer opening A LOT of connections to my own machine 0:0:0:0 and many others. Liek on the order of 300 connections.
    I’m sure this is a new virus, but no online checkers are able to snag it, and my own Freedom Virus Scanner hasn’t caught it.
    Any suggestions?
    Thanks Andru

    Reply
  10. Is there any utulity which tells what program is making the connection (I know, TDI does this rudimentarily)? TDI mon has identifed a pgm, but it doesn’t make sence: it’s ZoneAlarm’s own vsmon.exe, whose remote connection attempt is to a known spammer in mexico. I tried everything I can think to clean my system. (re-installing ZA, adaware, AV, blocking ports)(Blocking the IP in HW firewall arrests it, still, it bugs me!) Any tips?

    Reply
  11. Re: above Q
    Fixed! .
    Solution: Unchecked the Connect to PROXY I had been experimenting with in Internet Connection Settings before trying Firefox a few days ago!

    The final straw was when firefox TalkBalk applet used the mystery IP to connect (notified by ZoneAlarm) So I’m my own worst(enemy)hacker!

    Search for rogue IP (as logged by ZA and TDImon) had revealed a known spammer, using that same Proxy! Processes configured to consult Windows Internet Connection Settings were using my self-configured proxy to connect to Internet.

    Doh! THanks for the use of your Forum, though. -m

    Reply
  12. Can you please explain me Uses of IP address and how can i connect a remote computer thru internet

    Please do needfull

    Thanks
    Await u r reply

    Reply
  13. Leo – thanks for you site. very interesting. I have a question for you. From home, I use a VPN to connect to the main network at work. Once I’m connected I have an RDP shortcut on my home desktop to connect to the computer in my office & other networks in the company. Once I get into the computer in my office I have more RDP shortcuts to different networks in the company. Tonight, I logged into my computer at work. Then when I clicked on one of the RDP shortcuts on my work desktop to connect to another network the screen froze (the particular network was down). I can’t get back to my main desktop because the screen is froze. When I try to close the RDP connection that’s froze, it closes the connection to my work desktop. All I’m getting is an hour glass. Right/click doesn’t bring up any options & ctrl/alt/del just closes the whole connection. Any suggestions (short of driving down there & doing ctrl/alt/del? Thanks! Rachel (Washington)

    Reply
  14. Not really. I do something similar, and it’s a pain when the remote computer has crashed or is hung. Fortunately I can call someone to reboot it.

    I’d disconnect (or kill in task manager) the local remote desktop connection, and try to reconnect. I’m guessing that will fail, and you, or someone you trust, will need to examine the remote machine and see why it’s not responding.

    Reply
  15. Thanks Leo. I appreciate it. I couldn’t figure it out from home so I went in early the next day to reboot. Turns out two servers were down. IT worked on it until about 11am. That reminds me… I need to write a “down time procedure” so employees in my department know what to do when our computer system is down. thanks again.

    Reply
  16. A few months ago I tried to certify my installation of Windows XP with Microsoft online. Things went bad. In any event, since that time I have not been able to download Media Center guide information b/c the software tells me an internet connection can’t be established. This also happens with Windows “Automatic Updates”. I connect to the internet via a cable broadband connection. Any idea? Need additional information?

    Reply
  17. hi i am sharan i have one doubt i hope i will get the answer in my office we are using proxy server it acts as a default gateway of internet.i am carrying a laptop along with me i have to connect internet thru remote place how can i connect to my proxy server .

    Reply
  18. Thanks leo ur site really helps to understand what kind of security a person has…thanks for all the good work…hope u continue with all this!

    Reply
  19. how to connect with other system thru internet
    Is it possible to find someone’s internet history (what pages they’ve visited) if you have their IP address?

    when i am chating with my friend in chat room, how would i know which ip he is using

    Reply
  20. Hi, I have recently taken a broadband connection.I have Win 2000 Prof on my machine.I found that the number of packets sent were some 37,000 and teh no. of packets received was some 900.Whereas both the numbers should be almost the same.Can you please tell me why is it and how could I overcome this?

    Reply
  21. aweber.com is the email provider I use to send my newsletter. If you’re subscribed, then it’s likely that a connection was made to aweber – they do that to track how many people actually open the newsletter email. “CLOSE_WAIT” simply means that the connection, which is breif to begin with, is in the process of being closed.

    Reply
  22. Hello! have a nice day… If I got the IP address of the workstation of a computer, how can I disconnect it so that the next user can not of my computer forsearching to the Internet. Can you gave me a simple codes in using Visual Basic 6.0.

    Reply
  23. my ex has got my ip address, what can he do with this information. he has got into all of my yahoo accounts and myspace and changed my personal information. someone told me that he can see everything i do on my pc, is that true and how do i stop him? thanks tl

    Reply
  24. When I use the netstat at the command prompt, I get several responses that say in the foreign host column, “localhost:4568” (the numbers are always different). What is this?? I know what the other things that are running are, but not these, and it’s making me nervous. Any help would be great.

    Reply
  25. Using “ipconfig” typed in Run, I get a screen that flashes for a second or so and then disappears. What’s going on with my machine?

    Reply
  26. When you type netstat you will see all connections, including those to instant message programs, windows update, etc, but if you see the ip, you can use http://www.ipgp.net to know if it is known or something wrong happens on your computer.

    Reply
  27. I know my IP Address, but how can i figure it out without checking on the net, wanna figure it out myself? More then that when i type into cmd window ipconfig it shows my ip address but thats not the address i get from the internet can someone explain please?

    Reply
  28. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    You’re probably behind a router. Routers assign you a local
    IP address, and then translate between that and your IP address
    on the internet.

    Leo
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)

    iD8DBQFGDHJlCMEe9B/8oqERAuwrAJ9APbtvawrx/a6swQXlkNBNGTTMgQCeIJRy
    8446u89v6qtVIk+/LZeRNT0=
    =3dzP
    —–END PGP SIGNATURE—–

    Reply
  29. This is a very useful article but I was stopped at the point where I need to download TDIMon. This utility is no longer available on Microsoft’s site and is not included in the Sysinternals Suite. Is there an alternate download available please?

    Reply
  30. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    Unfortunately I was unable to find an official location for
    it – it seems to have disappeared without a trace.

    I changed the link to do a google search for it, and that’s
    showing several mirrors. As always, becareful where you
    download from, scan for viruses, etc.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHlp1+CMEe9B/8oqERAlbvAJ9mNyvZrTxb3y1NQ6Fy/CYanqOdKgCeNjd3
    VkEhm/QkYzPbfg0Ytnu5bNY=
    =EkTh
    —–END PGP SIGNATURE—–

    Reply
  31. LEO, may I suggest you update your great article with TDIScope as a replacement to TDIMon. I’ve been using it for a while and it works well. Google it for more info and download site.

    Reply
  32. Do some programs ‘mask’ their presence from your network activity?
    I remember when I was back on dial-up, my connection kept switching off due to being “idle” for X mins, despite my instant messaging conversations throughout that period.

    Reply
  33. waste,

    no info abt how to find “why number of bytes transfer is high and
    no info abt how much bytes from each connection ,

    Reply
  34. Sometimes you get a virus or spyware loaded into your computer without knowing it and it’s really hard to find. The programs you mention in your article help see what is going on in real time, but some folks may have already gotten some malware and are faced with that problem already. I had found a free program called SuperAntiSpyware and took a chance and tried it.
    It really “did” work wonderful and corrected my problem that I already had with malware. Now, thanks to your information, I am able to watch for things like that in real time before things may get to that situation once again.

    Reply
  35. How can i tell what files are being uploaded or downloaded by particular application, onto the system from internet?

    A fairly geeky tool called Process Monitor can do that. Doing so can be complex, though.

    Leo
    15-Jan-2012
    Reply
  36. Hello There,

    I’m using the same i.e. sysinternals PROCMON.EXE, but came to the following points-
    i) A running process can write to file while its installation
    ii) A running process can download packet and write the data of packet to a file.
    So exactly how do I predict whether it is downloading file or copying/writing contents of other file to target file?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.