Network/application traffic inspection

[Carol Haynes]

My network continuously seems to be transmitting and receiving data (even when the computer has been idle with no apps running). I have check that there are no viruses, spyware etc. and can't find any evidemce of anything sinster going on.

Anyone got any ideas on any software that will show you which applications are currently talking to the network/wan (preferably something that can resolve how programs like svchost have been called) and also to look at what data is being sent and received ?

[Eóin]

Ethereal is a name I've often heard mentioned for this purpose. Its seem now it's going under the new name Wireshark. Haven't used it myself in a long time, and even then it was only ever just out of curiosity.

[f0dder]

There's almost always a bit of traffic going on, windows machines are very "chatty", trying to do network discovery of other computers etc... "netstat" can show a lot of info, iirc also which service from a svchost process that has the connections going.

To be more thorough than that, you'll want some traffic analyzer. Been years since I used those, so I'm not up to date there, sorry.

[Carol Haynes]

Thanks for those two ideas ....

Strangely a lot of traffic seems to be to google.com - which is strange 'cos I don't have any google apps running, and it happens even when my browser is closed.

The actual traffic appears to be pinging the google site - anyone any ideas why this might be happening

[f0dder]

Hm, sounds suspicious.

Do you have any idea whether it's a massive amount of data, or just a small trickle every now and then? Perhaps your router offers some overview of bandwidth usage, or you could try some network meter thing?

[Carol Haynes]

Seems to be a trickle and lots of the data seems to include the text NOOP which I take to mean "No operation".

I have run two malware scanners on my system (one runs contstantly) and scanners with NOD32 AV which should spot malware and trojans too and come up with ZIP.

I have been running wireshark and can't see anything obviously malicious going on.

Strange thing is currently my 'network' consists only of this computer and my router.

[gjehle]

The actual traffic appears to be pinging the google site - anyone any ideas why this might be happening

-Carol Haynes (April 21, 2007, 01:30 PM)

can you shut down everything and record a few minutes of traffic using wireshark and post the logfile somewhere?
maybe that way it would be more effective for the rest of the folk on here to take a look at it
(if you feel like disclosing your internal network traffic that is)

[Carol Haynes]

Got it sussed (I think).

In the UK we have TV Channel 4 which has an 'on-demand' internet service.

I had installed their client to download missed TV episodes. Unknown to me it also installed KService.exe which is a peer-to-peer client running on port UDP:1948. Turning the service to manual and stopping the on-demand client loading at boot seems to have stopped the problem.

I am going to keep WireShark installed though - useful find.

Thanks all for your help.