Jameser's Tech Tips

Wednesday, July 05, 2006

Tip #9: Monitoring Windows Network Activity

Today's tip is on monitoring network activity on Windows XP... Our main focus of monitoring this activity is to ensure that the applications accessing the internet are only programs that we are aware of, and have "authorized" via firewall rules... After any virus, spyware, or adware cleanup, it is also a good idea to make certain that nothing was missed or reinstalled after the cleanup which is still accessing the network...

While Windows XP ships with a few utilities for displaying current network connections and process information, it lacks a realtime monitoring application... The application we'll be using today is a freeware utility from SysInternals called TCPView... While there are other more powerful monitoring and packet-capture applications, I prefer TCPView for it's simplicity and portability... It does not require an install, and can be run directly from a USB flash drive...

TCPView can be downloaded from the SysInternals website by clicking here...

After downloading the archive, unzip the files to a location of your choice and launch the Tcpview.exe program... The window displayed should look similar to the one shown below...


The display will show all processes with TCP and UDP endpoints, the protocol in use, the local address and port number, the remote address and port number, as well as the connection's current state... To view only connected endpoints, uncheck "Show Unconnected Endpoints" from the Options menu...

As new connections are created, the background of the line item will turn green until the next refresh cycle... Items that change state from the previous refresh will be displayed with a yellow background, and recently destroyed connections will appear with a red background...

To view detailed process information on a specific item, right click the desired item and select "Process Properties"... The full path and command line for the application will be displayed...

Finally, to terminate the connection of a listed item, you can simply right-click on the item and select "Close Connection"... This option is only available for processes with connected endpoints...

If you have any questions on today's tip, please leave a comment...

If you have a topic that you'd like to see covered in the future, please send me an e-mail: jameser@gmail.com...

0 Comments:

Post a Comment

<< Home