I have noticed that when I log on the Wireless Network Connection Status
Window shows that the packets leaving my computer almost equal the packets
entering the computer, even though I am not uploading any files. Is this an
indication that a keystroke logger or similar malware is exporting files from
my computer, also is there any way that I can monitor the actual data content
that is leaving my machine?
The network is a busy place, even when you’re doing nothing at all. It’s not
necessarily the sign of something bad, and not something most people even
notice.
Depending on just how detailed – and geeky – you want to get, there are
tools that will let you monitor what’s happening to varying degrees – all free.
]]>
<
TCPView will allow you to see what TCP/IP connections your machine has. For example, if you have Windows Live Messenger open, you’ll likely see a connection from your machine to an IP address that belongs to Microsoft’s Windows Live Messenger Service. Periodically, Messenger communicates with the service as messages are sent or received, but the connection remains “open”, and thus connected, whether you’re actively IMing or not.
TCPView won’t tell you what’s happening, it’ll just tell you which program on your machine is talking to what server out on the internet (or perhaps, what other machine on your local area network).
Process Explorer
Process Explorer will do many, many things, and there are two things of interest relating to network connections.
With Process Explorer open, right click on a process that you know has internet connections, and click on Properties, and then click on the TCP/IP tab.
Much like TCPView, but at the process level.
Also at the process level, click on the Performance Graph tab:
In addition to the CPU Usage for this process, and the “Private Bytes” or memory usage, you’ll see a graph for I/O (for Input/Output) Bytes History. Many, if not most applications that connect to the internet do so in a way that causes their traffic to be classified as I/O. Now, both disk and network traffic are represented here combined, but this can be a quick way to see if a specific application is potentially communicating more than you might expect it to.
Now things get a tad geekier.
Process Monitor
So far the tools we’ve been using typically show only the current state of your machine – what your processes are connected to. At best, we’ve seen only a graph of combined traffic. While that’s interesting (and simple) it’s not really telling us exactly what’s happening to any detail.
Process Monitor works a little differently. Essentially you turn it loose to record data for a while, and then using various filters and other techniques you can scan that data for the pieces of interest.
In the above example I had Process Monitor filter showing only events from the “trillian.exe” process, and only those events that related to “TCP”. As you can see, it’s a fairly detailed listing of a lot of activity, over just a few seconds time. In fact, Process Monitor can generate an overwhelming amount of data. Unfortunately, using it effectively is beyond the scope of this article. If you want to give Process Monitor a try, I recommend a two step approach:
-
Run it once with its default filters, for just a few seconds. Perhaps do something that you know will generate some internet traffic while it’s running. Spend some time reviewing the massive amount of data collected.
-
Now, spend a few minutes investigating the filtering options, and either re-run Process Monitor, or filter the data you’ve collected, as I have, to narrow the focus to the actual data you’re interested in.
Once again, Process Monitor has shown us a deeper level of activity – specific events and actions – but it still hasn’t shown us exactly what data is being transmitted and received.
It’s time to get geekier still.
WireShark
WireShark is a software network protocol analyzer. What that means in English is that it’s a tool that lets you see everything that’s being transmitted to and from your machine in excruciating detail.
WireShark works in many ways like Process Monitor: you run it for a while and it captures all your network traffic for analysis. After the capture, you can use its display and filtering tools to narrow down what’s shown to the specific network data packets of interest.
WireShark is not for the faint of heart. It’s really something that’s going to be most useful for someone who’s fairly geeky and has a basic understanding of some networking and network protocol concepts.
But it’s incredibly powerful.
In Practice
I’ve never had to resort to WireShark to diagnose a network problem. Typically using process explorer, or perhaps process monitor to identify which process is actually using the network, and to what degree is enough to diagnose a “what’s going on?” kind of situation without actually needing to sniff the data being sent.
And the bottom line is that even when your machine is “doing nothing”, it’s very likely – even expected – that there will be some network activity.
I have to say that Firefox does not have the second “f” capitalized.
Good article though.
as a new comer to your site,i’m finding articals helpful,answering my questions before i submit them,thank you Leo
Hi Leo, Is there a way to lock out incoming online or pinging. My computer is being accesses by a x roommate and I would like to stop his access. Thank you for your time and help
John Pennington
20-Jan-2010
Great article an thanks for the new tools/toys I now get to play with. lol Also, who gives a crapola if FIREFOX has 2 Fs capitalized or not. It doesnt even have anything to do with your article. Just a FireFOX fanboy, worse than the Apple fanboy/creeps who stalk websites like this.
The original question was based around:-
“the packets leaving my computer almost equal the packets entering the computer, even though I am not uploading any files” – which you omitted to address !
As I understand it, he’s right, and, in simple terms that even I can understand, the conversation goes something like this:-
Server: “Here, Buddy, this is for you – ready?”
PC: “Yup. Send it.”
Server: “It went. Did you get it OK ?”
PC: “Yup. Send more.”
Server: “It went. Did you get it OK ?”
PC: “Yup. Send more.”……
Server: “It went. Did you get it OK ?”
PC: “Nope. Try it agian.”
Server: “It went. Did you get it OK ?”
PC: “Yup. Send more.”
i.e., EVERY packet has a reply, though obviously not as big. That is why usually (or it used to be the case) upload speeds are set FAR slower than download speeds.
Tell me if I’m wrong ?
Have a good trip !
I get a similar list directly from the command window:
netstat
Now when I do a Netstat while visiting Ask-Leo.com
I get a pile of these:
a96-17-8-75.deploy.akamaitechnologies.com
what exactly are they trying to deploy onto my machine?
I know that’s just part of the “address”
but they didn’t choose deploy for no good reason
(The GUI looks like a good Idea for enhanced nitpicking through the connections though)
@robin: You are correct in concept, but not in the details. It’s been a long time since I learned about this, but the server sends many packets before the PC responds with an “I got it”. More specifically, the PC responds with “the last packet I got was number 12345”. It would be far too inefficient for the PC to respond to each packet from the server. There’s buffering going on.
Also, this only applies to TCP, not to UDP.
Thanks for the artcle. I played the asnyc/bysinc
game a few years ago while I managed masses of data for AT&T. It’s a field all by itself.
Thank you
Jim
@Richard – That’s nothing but an internal Akamai naming convention. That means you are connected to 96.17.8.75.
Hello,
I have currently a big problem on my desktop: A malware is sending netios connection requests to several IPs. I detected this only by Wireshark. Neither ProcessExp nor TCPView couldn’t detect it – (Seems that it is a hidden driver or the netcard driver has been patched ) How can I track down those connections from wireshark view to a process?