I have noticed that when I log on the Wireless Network Connection Status
Window shows that the packets leaving my computer almost equal the packets
entering the computer, even though I am not uploading any files. Is this an
indication that a keystroke logger or similar malware is exporting files from
my computer, also is there any way that I can monitor the actual data content
that is leaving my machine?
The network is a busy place, even when you’re doing nothing at all. It’s not
necessarily the sign of something bad, and not something most people even
Depending on just how detailed – and geeky – you want to get, there are
tools that will let you monitor what’s happening to varying degrees – all free.
Aside from the programs that you already know actually use the network to do whatever it is they do, there are two common reasons you may see activity on your local network.
There are network services and protocols that just occur. Part of the service that they’re providing might involve periodically polling the network for machines or other resources, or perhaps broadcasting information to other machines on the net. It just happens.
And then it seems like every program you run, and even a few you didn’t run but are still running anyway, wants to connect to the net to check for updates. The obvious cases are programs that check for updates when you start them, like perhaps FireFox. But other programs – and services – not only periodically check in the background for updates, but will often actually download those updates without any visual indication until those updates are ready to install. The most obvious clue that they’re downloading at all might be a slight decrease in network performance.
If you’re connected to the internet directly, things get a little more sinister. The term “internet background noise” has been coined to refer to the fairly constant stream of random attempts at communication – and yes, hacking – that are fairly consistent on any internet connection. There are machines that, for example, are infected with viruses and are simply out trying every internet IP address they can find to propagate their malware. That’s one of the reasons that firewalls are so important.
So, how do you find out what’s up on your machine and whether or not you should be concerned?
There are four tools I’m going to tell you about, starting with the simplest and working up to the geekiest – and of course the amount of information available to you will increase at each step of the way.
TCPView will allow you to see what TCP/IP connections your machine has. For example, if you have Windows Live Messenger open, you’ll likely see a connection from your machine to an IP address that belongs to Microsoft’s Windows Live Messenger Service. Periodically, Messenger communicates with the service as messages are sent or received, but the connection remains “open”, and thus connected, whether you’re actively IMing or not.
TCPView won’t tell you what’s happening, it’ll just tell you which program on your machine is talking to what server out on the internet (or perhaps, what other machine on your local area network).
Process Explorer will do many, many things, and there are two things of interest relating to network connections.
With Process Explorer open, right click on a process that you know has internet connections, and click on Properties, and then click on the TCP/IP tab.
Much like TCPView, but at the process level.
Also at the process level, click on the Performance Graph tab:
In addition to the CPU Usage for this process, and the “Private Bytes” or memory usage, you’ll see a graph for I/O (for Input/Output) Bytes History. Many, if not most applications that connect to the internet do so in a way that causes their traffic to be classified as I/O. Now, both disk and network traffic are represented here combined, but this can be a quick way to see if a specific application is potentially communicating more than you might expect it to.
Now things get a tad geekier.
So far the tools we’ve been using typically show only the current state of your machine – what your processes are connected to. At best, we’ve seen only a graph of combined traffic. While that’s interesting (and simple) it’s not really telling us exactly what’s happening to any detail.
Process Monitor works a little differently. Essentially you turn it loose to record data for a while, and then using various filters and other techniques you can scan that data for the pieces of interest.
In the above example I had Process Monitor filter showing only events from the “trillian.exe” process, and only those events that related to “TCP”. As you can see, it’s a fairly detailed listing of a lot of activity, over just a few seconds time. In fact, Process Monitor can generate an overwhelming amount of data. Unfortunately, using it effectively is beyond the scope of this article. If you want to give Process Monitor a try, I recommend a two step approach:
Run it once with its default filters, for just a few seconds. Perhaps do something that you know will generate some internet traffic while it’s running. Spend some time reviewing the massive amount of data collected.
Now, spend a few minutes investigating the filtering options, and either re-run Process Monitor, or filter the data you’ve collected, as I have, to narrow the focus to the actual data you’re interested in.
Once again, Process Monitor has shown us a deeper level of activity – specific events and actions – but it still hasn’t shown us exactly what data is being transmitted and received.
It’s time to get geekier still.
WireShark is a software network protocol analyzer. What that means in English is that it’s a tool that lets you see everything that’s being transmitted to and from your machine in excruciating detail.
WireShark works in many ways like Process Monitor: you run it for a while and it captures all your network traffic for analysis. After the capture, you can use its display and filtering tools to narrow down what’s shown to the specific network data packets of interest.
WireShark is not for the faint of heart. It’s really something that’s going to be most useful for someone who’s fairly geeky and has a basic understanding of some networking and network protocol concepts.
But it’s incredibly powerful.
I’ve never had to resort to WireShark to diagnose a network problem. Typically using process explorer, or perhaps process monitor to identify which process is actually using the network, and to what degree is enough to diagnose a “what’s going on?” kind of situation without actually needing to sniff the data being sent.
And the bottom line is that even when your machine is “doing nothing”, it’s very likely – even expected – that there will be some network activity.