How can I tell what internet activity is happening on my machine?
With machines being more or less continuously connected to the
internet these days it’s easy to find that there are things going
across your wire that perhaps you didn’t realize or think about. Add
malicious and semi-malicious code into the mix such as viruses and
spyware, and understanding what’s going on becomes even more
Become a Patron of Ask Leo! and go ad-free!
The good news is that there are tools, both included with
Windows, and available for free on-line, that make monitoring your
network fairly easy.
Most tools that come with Windows are command-line tools so you’ll
need to open up a Command prompt. We’ll start first by determining the IP address of the machine you’re
currently on – that information will help you identify your own machine
in some of the other tools later on. Type “ipconfig” and you
should get output similar to this:
Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.107 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1
The IP address here is 192.168.1.107. Note: because I use a
NAT router as my firewall that 192. address is not an actual address
on the internet. That’s part of the security a NET router provides –
using NAT your IP address is specific to your local network – only the
router actually sees your “real” internet address.
Netstat is a simple tool that will show you the currently open
TCP/IP (internet protocol) connections. Type “netstat” and you should
get output something like this:
Active Connections Proto Local Address Foreign Address State TCP LEO:1051 22.214.171.124:5190 ESTABLISHED TCP LEO:1059 hal-m021c.blue.aol.com:5190 ESTABLISHED TCP LEO:2387 baym-cs115.msgr.hotmail.com:1863 ESTABLISHED TCP LEO:4357 192.168.1.2:3389 ESTABLISHED
“LEO” is the name of my machine which as we saw above has the IP
address 192.168.1.107 on my local network. The two lower entries here
show connections to aol.com (I’m running AIM, AOL’s Instant Messenger)
and to msgr.hotmail.com (I’m also running MSN Messenger). The other two
connections identified by only an IP address remain a mystery for the
Now we’ll move on to a freeware tool called
TcpView from the folks as SysInternals.
Download and run it and you’ll get a window that shows you information
very similar to netstat except with much more information
that’s continually updated.
Here you can see that the connections are listed along side the
running program that initiated the connection. TcpView also does a
better job of name resolution and we can see that our connection to
AIM actually is using two TCP/IP connections including one of the
mystery connections from above. “msnmsgr.exe” is MSN’s instant
messenger as we saw above. And we now also see that the remaining
connection is generated by an application called MSTSC.EXE which is
the Microsoft Terminal Services Client – also known as the Remote
Desktop Client. I have a remote desktop connection to my laptop in
another room and that’s what this connection is all about.
So far we’ve only seen connections and not traffic. That’s often
enough to expose an application or spyware that’s communicating over
the net when you don’t expect it.
This next tool will tell more about the conversations happening
across those connections though it’ll easily overwhelm you with data.
TDIMon will show you every request being made
across the network. It won’t show you the data with each request but
it will show you the application making it and a few other
characteristics of the request.
When you run TDIMon you’ll find that there’s a lot of network
activity even when you’re doing nothing and even if you’re not
connected to the internet. “explorer.exe” will show up often, for
example. This is because Windows will use the network to communicate
not only across the internet but also with other machines on your
local network and in some cases even with itself.
The best way to use TDIMon is to have it log it’s output to a text
file, an option that’s found on TDIMon’s File menu. Run it for a little
while collecting data and then stop it and examine the log file with a
text viewing utility such as notepad. You can probably ignore all the extra
network protocol specific information unless that’s something that interests
you. Just by looking applications that are making requests and how many
requests are being made can help identify where your network traffic is coming
from and perhaps some specific applications to investigate further.