How to check the network activity of applications. How to monitor network activity with Windows Firewall logs

Instructions

Usually the need to view active connections associated with suspected spyware infection of the computer. A properly configured computer should connect to the network only when you open some pages or when updating OS files and databases antivirus software... If the network connection indicator in the tray now and then "comes to life" by itself, and the computer, regardless of you, exchanges some information with the Internet, you need to find out the reasons for such network activity.

Open the command line, for this run: "Start" - "All programs" - "Accessories" - "Command line". In the window that opens, enter the command netstat –aon and press Enter. You will see a list of all network connections, the active ones will be marked in the “Status” column as ESTABLISHED.

Pay attention to the "External address" column - it contains the ip with which your computer was connected and the connection port. Port 80, for example, is specific to web servers. But if you see any other port, this is already a cause for alarm. In this case, you need to find out which application installed on your computer opens this connection.

Look at the last column for the process identifiers (PIDs). Remember the identifier of the suspicious process, then in the same window type the tasklist command. A list of processes running on the computer will open. The first column will contain the names of the processes, the second - their identifiers. Find the identifier of the suspicious process, then, to the left of it, look at the name of the program to which it belongs.

What if the process name doesn't tell you anything? Type it in a search engine and you will receive all the information about this process... If there is no information, then there is a very high probability that you have "caught" a new Trojan horse, information about which has not yet reached the Internet and antivirus databases.

Pay attention to which port the suspicious process opens - information about open ports is present in the "Local address" column. Check processes that are pending connection - LISTENING. This is how backdoors behave - trojansdesigned for covert connection with an infected computer. The server part of such a program always "hangs" on some port and waits for a connection from the hacker's computer.

For complete control over connections, install the BWMeter program. This is one of best programs of this class, it will allow you to see which addresses your computer connects to, it is possible to write information to the log.

Sources:

• no active internet connection found

If necessary, find out the actual speed the Internet- connections the most correct is to run the check on your computer, or mobile devicebecause the information from the provider may be unreliable. Specialized online resources should be used as a tool for determining the speed of data reception and transmission.

Instructions

One of the most popular sites for this purpose is www.speedtest.net. Open the site, but do a little prep work before checking it out. The fact is that some services and applications can run in backgroundusing an internet channel. The most basic of them are: antivirus software, torrent client, automatic windows updates... Disable all such programs and services, and only after that start checking the speed - this way you will get a value that is as close to reality as possible.

To start the procedure for determining the speed, press the "Start test" button and wait until the result is shown to you. After completing the check, you will find out the Ping rate (the lower the better), speed download and speed recoil. The last two indicators are your real speed the Internet- connections... The higher these values, the faster the pages will open in the browser, download programs, movies, and the more comfortable (without pauses) viewing will be.

If you need to know speed connections on your mobile device, for example, iPad, iPhone, HTC, Samsung, etc. (iOs and Android), you can install a special application on your device, which can be downloaded on the same website in the "Mobility" section or in online stores AppStore and Android Market... After installing such an application, you can check speed receiving and transmitting data on your own or and find out if the declared provider responds speed on a 2G or 3G network actual performance.

Related Videos

Helpful advice

In addition to the Speedtest.net site, you can use similar resources: www.internet.yandex.ru, www.speed.yoip.ru, www.speed-tester.info and others.

Thanks to the presence in the tray of an icon in the form of two computers, the user can generally judge the network activity of his machine. In the event that even an idle computer actively communicates with the Internet, there is a need for more complete traffic control.

You will need

• - rights to run applications on the local computer.

Instructions

A properly configured computer will never go online by itself. The only exceptions are scheduled updates of the operating system and antivirus program. If the computer constantly climbs into the network, we can assume it wrong setting or viral activity.

To view the network activity computer, run the command line: "Start - All programs - Accessories - Command line". Type netstat –aon and don't forget to hit Enter. You will see a table of five columns. The first will indicate the protocol - UDP or TCP. The second lists all active connections, while you can see the ports open on your machine. The third column shows the external address, the fourth shows the connection status. In the fifth, you can see the PID - the digital process identifier.

The ports indicated in the second column indicate that they were opened by some programs, among which there may well be Trojans. In order to understand which program opens a particular port, enter the tasklist command in the same window - you will see a list running processes... In this case, the process identifier will go immediately after the name of the executable file.

Let's say you see that you have open port 1025, its PID is 1480 (it may be different for you). Find this identifier in the list of processes and see which program it belongs to. If you don't know what it is, type its name into a search engine.

The Status column gives you the ability to see the status of the connection. For example, the LISTENING line indicates that the program is waiting for a connection. This is how backdoors behave - Trojans, the server side of which is located on the victim's computer. But other programs, such as Windows services, can also be in this state. In the operating room windows system XP, some potentially dangerous ports can be closed using the wwdc utility, which can be downloaded from the Internet.

If you need a complete traffic analysis, use BWmeter. It will track all connections to your computer with the indication of ip-addresses, the data can be written to the log. The program is useful for both calculating spyware, and to identify and then disable all kinds of services that climb into the network without the permission of the computer owner.

The task of determining the ports used, statistics and active TCP / IP connections in operating system Microsoft Windows can be solved standard means the system itself using the netstat console utility.

Instructions

Enter the value cmd in the "Open" field and confirm the execution of the command for launching the "Command Line" tool by clicking OK.

Enter the value netstat -ano in the interpreter test field windows commands and confirm the execution of the command by pressing the Enter function key.

Remember the syntax for the console command you are using:
- a - display of all used connections and ports;
- n - displaying not aliases and DNS names, but actual numeric values \u200b\u200bof ports and IP addresses of connections;
- o - displays PID (Process ID) - digital identifier of the process using this connection or port.

Identify the application responsible for the specific connection on the selected port and remember its ID.

Return to the Run dialog and re-enter the cmd value in the Open field to identify the required process.

Confirm the execution of the command to start the Windows command interpreter by clicking OK and enter the value tasklist | find the saved_PID in the Command Line tool text box.

Confirm the execution of the command by pressing the function key Enter, or simultaneously press function keys Ctrl + Shift + Esc to launch the built-in utility "Manager windows tasks».

Go to the "Processes" tab of the opened dispatcher dialog box and open the "View" menu top panel tools.

Specify the "Select Columns" command and apply the checkbox to the PID (Process Identifier) \u200b\u200bfield.

This article describes the main functions of commands that allow you to determine the network activity of a computer.

Netstat command.

Used to determine the network activity of your computer, for example, to find out which site your program is connecting to. From the standard help for this command, which is shown by typing in the console window of an MS-DOS session

Netstat /?

You can learn a lot, but I will tell only the main, in my opinion, points. The main use of the command.

With the following key:

Netstat -a

this command lists your computer's active connections to the outside world, for example, the result of this command:

Proto Local Address Foreign Address State TCP alex: 1085 diablo.surnet.ru:80 ESTABLISHED UDP alex: 1084 *: * UDP alex: nbname *: * UDP alex: nbdatagram *: *

Consider the first line:

Proto is a protocol.
Local Address - local address and port, the name of your computer.
Foreign Address - remote address and port; the address that your computer is currently communicating with.
State - the state of the connection.

Of the protocols, TCP is the most interesting as the protocol by which you connect to a remote computer over the Internet.

The local address, separated by a colon on behalf of your computer, shows the port through which data is exchanged on your computer. Since how to match a program that works with the Internet, and network connection is not entirely simple, then it is recommended to force a port for each program, if there is such an opportunity (in the next articles I will tell you how), then it will be easy to determine which program is connecting to what and whether it is pumping unnecessary information (spam).

Ping command.

To determine the connection speed and "liveliness" remote computer is the ping command. additional information you can find out from the standard ping command help.

Standard program call: ping "remote address". "Remote address" can be set both in a symbolic way, for example, ya.ru, and the address of a remote server, for example, 212.65.99.1

This command screen:

Reply from 195.54.9.250: bytes \u003d 32 time \u003d 56ms TTL \u003d 250 Reply from 195.54.9.250: bytes \u003d 32 time \u003d 55ms TTL \u003d 250 Reply from 195.54.9.250: bytes \u003d 32 time \u003d 56ms TTL \u003d 250

where digits after from "remote address":

bytes - the number of bytes transferred
time - server response time

additional parameters indicating keys:

Ping "remote address" -t

pings an infinitely remote server.

Ping "remote address" -n 10

ping a remote server a specified number of times.

Ping "remote address" -w 10000

wait for a response from the remote server for a specified number of milliseconds.

These keys can be combined, for example, I have the following command to check the remote server (and the liveliness of the Internet):

Ping 195.54.9.250 -n 10 -w 10000

Check the remote server 10 times and wait for a response for 10 seconds, if during this time there are no responses, and the result will be "Request timed out" then I think that this server currently unavailable.

Signal flow verification command: tracert

the syntax for this command is very simple:

Tracert "remote server"

The screen will display a list of servers and the delay time through which the signal passes to reach the "remote server" for example, as it looks to me.

Tracing route to diablo.surnet.ru over a maximum of 30 hops: 1 4 ms 2 ms 2 ms gw.bran760.icb.chel.su 2 54 ms 53 ms 53 ms Satka-ICB.ll.icb.chel.su 3 62 ms 96 ms 65 ms 195.54.1.153 4 65 ms 65 ms 65 ms 195.54.1.249 5 75 ms 76 ms 85 ms diablo.surnet.ru Trace complete.

With the help of these commands, you can determine the network activity of your machine, see which program is downloading what where and at which address, as well as check the signal transit time from your computer to a specific server. Next time, I'll show you how to collect network connection statistics using these commands.

This article will be, to some extent, devoted to security. I recently had an idea, how to check which applications are using the Internet connection, where traffic can flow, through which addresses the connection goes, and much more. There are users who also ask this question.

Suppose you have an access point to which only you are connected, but you notice that the connection speed is somehow low, call the provider, they note that everything is fine or something similar. What if someone is connected to your network? You can try using the methods in this article to find out which programs that require an Internet connection it uses. In general, you can use these methods as you please.

Well, let's analyze?

Netstat command to analyze network activity

This way without using any programs, we just need the command line. Windows has special utility netstat, which deals with network analysis, let's use it.

It is desirable that the command line be run as administrator. In Windows 10, you can click on the Start menu right click mouse and select the appropriate item.

At the command line, enter the netstat command and see a lot of interesting information:

We see connections, including their ports, addresses, active and pending connections. This is certainly cool, but this is not enough for us. We would like to find out which program is using the network, for this, together with the command netstat, you can use the –b parameter, then the command will look like this:

The utility that uses the Internet will now be visible in square brackets.

This is not the only parameter in this command to display complete list enter command netstat –h .

But, as practice shows, many utilities command line do not give the information that I would like to see, and it’s not so convenient. Alternatively, we will use a third party software - TCPView.

Monitoring network activity with TCPView

You can download the program from here. You don't even need to install it, you just unpack it and run the utility. It is also free, but does not support Russian, but this is not particularly necessary, from this article you will understand how to use it.

So, the TCPView utility monitors networks and shows in the form of a list all programs connected to the network, ports, addresses and connections.

In principle, everything is very clear here, but I will explain some points of the program:

• Column Process, of course, shows the name of the program or process.

• Column PID indicates the identifier of the process connected to the network.

• Column Protocol indicates the protocol of the process.

• Column Local adress - the local address of the process on this computer.
• Column Local port - local port.

• Column Remote adress indicates the address to which the program is connected.

• Column State - indicates the status of the connection.

• Where indicated Sent Packets and Rcvd Packets indicates the number of packets sent and received, the same with columns Bytes.

Using the program, you can also right-click on the process and end it, or see where it is.

Address names as shown in the image below can be converted to a local address by pressing the hotkeys Ctrl + R.

If you see the lines different color, for example, green, it means the start of a new connection, if red appears, then the connection is completed.

That's all the main settings of the program, there are also crayons parameters, such as setting the font and saving the connection list.

If you like this program, be sure to use it. Experienced users will find exactly for what purpose to use it.

Hello!

It should be understood that the IP address is not the identifier of a person on the Internet, but of the device that he uses to access the network. That is, for example, your smartphone and the modem that you connect to your computer have different IP addresses, although both of these devices belong to the same person - you.

Let's consider the option of obtaining some information by the IP address, which is usually used most often. This is the address of the user's PC. It is when working with a PC that the main activity of an ordinary user on the Internet occurs.

So someone found out your IP address. There are many ways to do this, including trap sites (fakes), hacking sites and forums on which you are registered, determining the address in the process of communication in various social networks. networks and other means of Internet communications, etc. In general, an individual can find out your IP, this is a fact. And if that person has some experience, or just knows how to use an Internet search and is able to understand the instructions given in the search results, he will be able to get certain information about you.

For example, special services allow only one IP to find out, for example, a phone number or even a real address. But this is not in all cases, the matter can be limited only to the definition of the provider and the country, no more.

Also, the IP address can be scanned for open ports. And if one of these ports turns out to be an open vulnerable program (and, in principle, there cannot be invulnerable), it will be possible to gain access to information on your PC, your network accounts, or even remote control your computer. And at least one open port means that the user with this IP is on the network (you were just interested in this question).

I have just explained quite primitively, on the fingers, but this is enough to understand the possibilities that knowledge of your IP opens to an attacker. Next, I will describe how to protect.

An ordinary user just needs to install a firewall and keep it up to date. It will provide exactly the PROTECTION from intruders. If you need ANONYMITY, then you can use a dynamic IP (it changes with each connection), a proxy server or a chain of them, etc. The first tool is less reliable (from the provider, you can, if you have authority or hack its database, find out who used the IP at a certain time and even what actions this person performed). With a proxy, everything is the same, but doing this action with a chain of several servers will take time. And until it comes to the last, information about you may already be deleted due to the prescription.

I would like to point out that all these means of maintaining anonymity are useful, for example, for hackers who commit illegal actions and do not want to be held responsible for them. AND ordinary user they are not required. You can easily chat online, read articles, watch movies, listen to music and play games. Neither special services, nor crowds of hackers are eager to find out the details of this \u003d) Firewall, as well as antivirus (or a combined solution from these and other programs for security) will be quite enough, and the vast majority of Internet users do not need absolute anonymity, since information about their actions are simply not of particular value.