Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I see what's happening on my machine's network connection?

Question:

I have noticed that when I log on the Wireless Network Connection Status
Window shows that the packets leaving my computer almost equal the packets
entering the computer, even though I am not uploading any files. Is this an
indication that a keystroke logger or similar malware is exporting files from
my computer, also is there any way that I can monitor the actual data content
that is leaving my machine?

The network is a busy place, even when you’re doing nothing at all. It’s not
necessarily the sign of something bad, and not something most people even
notice.

Depending on just how detailed – and geeky – you want to get, there are
tools that will let you monitor what’s happening to varying degrees – all free.

]]>

Aside from the programs that you already know actually use the network to do whatever it is they do, there are two common reasons you may see activity on your local network.

There are network services and protocols that just occur. Part of the service that they’re providing might involve periodically polling the network for machines or other resources, or perhaps broadcasting information to other machines on the net. It just happens.

And then it seems like every program you run, and even a few you didn’t run but are still running anyway, wants to connect to the net to check for updates. The obvious cases are programs that check for updates when you start them, like perhaps FireFox. But other programs – and services – not only periodically check in the background for updates, but will often actually download those updates without any visual indication until those updates are ready to install. The most obvious clue that they’re downloading at all might be a slight decrease in network performance.

“… even when your machine is ‘doing nothing’, it’s very likely – even expected – that there will be some network activity.”

If you’re connected to the internet directly, things get a little more sinister. The term “internet background noise” has been coined to refer to the fairly constant stream of random attempts at communication – and yes, hacking – that are fairly consistent on any internet connection. There are machines that, for example, are infected with viruses and are simply out trying every internet IP address they can find to propagate their malware. That’s one of the reasons that firewalls are so important.

So, how do you find out what’s up on your machine and whether or not you should be concerned?

There are four tools I’m going to tell you about, starting with the simplest and working up to the geekiest – and of course the amount of information available to you will increase at each step of the way.

TCPView

TCPView

TCPView will allow you to see what TCP/IP connections your machine has. For example, if you have Windows Live Messenger open, you’ll likely see a connection from your machine to an IP address that belongs to Microsoft’s Windows Live Messenger Service. Periodically, Messenger communicates with the service as messages are sent or received, but the connection remains “open”, and thus connected, whether you’re actively IMing or not.

TCPView won’t tell you what’s happening, it’ll just tell you which program on your machine is talking to what server out on the internet (or perhaps, what other machine on your local area network).

Process Explorer

Process Explorer will do many, many things, and there are two things of interest relating to network connections.

With Process Explorer open, right click on a process that you know has internet connections, and click on Properties, and then click on the TCP/IP tab.

Process Explorer examining the TCP/IP connections of a process

Much like TCPView, but at the process level.

Also at the process level, click on the Performance Graph tab:

Process Explorer examining the Performance Graph of a process

In addition to the CPU Usage for this process, and the “Private Bytes” or memory usage, you’ll see a graph for I/O (for Input/Output) Bytes History. Many, if not most applications that connect to the internet do so in a way that causes their traffic to be classified as I/O. Now, both disk and network traffic are represented here combined, but this can be a quick way to see if a specific application is potentially communicating more than you might expect it to.

Now things get a tad geekier.

Process Monitor

So far the tools we’ve been using typically show only the current state of your machine – what your processes are connected to. At best, we’ve seen only a graph of combined traffic. While that’s interesting (and simple) it’s not really telling us exactly what’s happening to any detail.

Process Monitor works a little differently. Essentially you turn it loose to record data for a while, and then using various filters and other techniques you can scan that data for the pieces of interest.

Example of Process Monitor

In the above example I had Process Monitor filter showing only events from the “trillian.exe” process, and only those events that related to “TCP”. As you can see, it’s a fairly detailed listing of a lot of activity, over just a few seconds time. In fact, Process Monitor can generate an overwhelming amount of data. Unfortunately, using it effectively is beyond the scope of this article. If you want to give Process Monitor a try, I recommend a two step approach:

  • Run it once with its default filters, for just a few seconds. Perhaps do something that you know will generate some internet traffic while it’s running. Spend some time reviewing the massive amount of data collected.

  • Now, spend a few minutes investigating the filtering options, and either re-run Process Monitor, or filter the data you’ve collected, as I have, to narrow the focus to the actual data you’re interested in.

Once again, Process Monitor has shown us a deeper level of activity – specific events and actions – but it still hasn’t shown us exactly what data is being transmitted and received.

It’s time to get geekier still.

WireShark

WireShark is a software network protocol analyzer. What that means in English is that it’s a tool that lets you see everything that’s being transmitted to and from your machine in excruciating detail.

WireShark display window

WireShark works in many ways like Process Monitor: you run it for a while and it captures all your network traffic for analysis. After the capture, you can use its display and filtering tools to narrow down what’s shown to the specific network data packets of interest.

WireShark is not for the faint of heart. It’s really something that’s going to be most useful for someone who’s fairly geeky and has a basic understanding of some networking and network protocol concepts.

But it’s incredibly powerful.

In Practice

I’ve never had to resort to WireShark to diagnose a network problem. Typically using process explorer, or perhaps process monitor to identify which process is actually using the network, and to what degree is enough to diagnose a “what’s going on?” kind of situation without actually needing to sniff the data being sent.

And the bottom line is that even when your machine is “doing nothing”, it’s very likely – even expected – that there will be some network activity.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “How do I see what's happening on my machine's network connection?”

  1. Great article an thanks for the new tools/toys I now get to play with. lol Also, who gives a crapola if FIREFOX has 2 Fs capitalized or not. It doesnt even have anything to do with your article. Just a FireFOX fanboy, worse than the Apple fanboy/creeps who stalk websites like this.

    Reply
  2. The original question was based around:-
    “the packets leaving my computer almost equal the packets entering the computer, even though I am not uploading any files” – which you omitted to address !

    As I understand it, he’s right, and, in simple terms that even I can understand, the conversation goes something like this:-
    Server: “Here, Buddy, this is for you – ready?”
    PC: “Yup. Send it.”
    Server: “It went. Did you get it OK ?”
    PC: “Yup. Send more.”
    Server: “It went. Did you get it OK ?”
    PC: “Yup. Send more.”……
    Server: “It went. Did you get it OK ?”
    PC: “Nope. Try it agian.”
    Server: “It went. Did you get it OK ?”
    PC: “Yup. Send more.”

    i.e., EVERY packet has a reply, though obviously not as big. That is why usually (or it used to be the case) upload speeds are set FAR slower than download speeds.

    Tell me if I’m wrong ?

    Have a good trip !

    Reply
  3. I get a similar list directly from the command window:

    netstat

    Now when I do a Netstat while visiting Ask-Leo.com
    I get a pile of these:

    a96-17-8-75.deploy.akamaitechnologies.com

    what exactly are they trying to deploy onto my machine?
    I know that’s just part of the “address”
    but they didn’t choose deploy for no good reason

    (The GUI looks like a good Idea for enhanced nitpicking through the connections though)

    Reply
  4. @robin: You are correct in concept, but not in the details. It’s been a long time since I learned about this, but the server sends many packets before the PC responds with an “I got it”. More specifically, the PC responds with “the last packet I got was number 12345”. It would be far too inefficient for the PC to respond to each packet from the server. There’s buffering going on.

    Also, this only applies to TCP, not to UDP.

    Reply
  5. Thanks for the artcle. I played the asnyc/bysinc
    game a few years ago while I managed masses of data for AT&T. It’s a field all by itself.
    Thank you
    Jim

    Reply
  6. Hello,

    I have currently a big problem on my desktop: A malware is sending netios connection requests to several IPs. I detected this only by Wireshark. Neither ProcessExp nor TCPView couldn’t detect it – (Seems that it is a hidden driver or the netcard driver has been patched ) How can I track down those connections from wireshark view to a process?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.