Performance monitor

[qwe]

I want to check for unauthorized emails leaving the network. I thought that
a good place to start would be to monitor TCP connections. I set Perf
Monitor to monitor both active TCP connections and TCP Connections
established. The Active connections shows an average of 5,709 with 5,732 at
the moment.

That seems a tad high for a small (5 computer) network. All computers are
virus scanned nightly (and periodically by two different virus scan vendors,
just to double check) and are running behind a firewall. Is this normal, or
do I have a problem?

RAB

 

[Ace Fekay [MVP]]

In

I want to check for unauthorized emails leaving the network. I
thought that a good place to start would be to monitor TCP
connections. I set Perf Monitor to monitor both active TCP
connections and TCP Connections established. The Active connections
shows an average of 5,709 with 5,732 at the moment.

That seems a tad high for a small (5 computer) network. All
computers are virus scanned nightly (and periodically by two
different virus scan vendors, just to double check) and are running
behind a firewall. Is this normal, or do I have a problem?

RAB

You're saying you have over 5000 TCP sessions with 5 machines? WOW.

To check for unauthorized email traffic, I would scan for port 25 traffic.
You can use any scanner, one that is a decent one is LanGuard from
www.gfi.com. A freeware scanner called Superscan can be found at
www.foundstone.com. There are many others.

AV scans may not find what you;'re looking for. Run Adaware 60 on your
machines to at least eliminate adware and/or trojan and other rogue software
installed and re-run your perfmon. You can also go to each machine and run
netstat -n to see what connections are active. To find out what apps are
using the ports listed, you can use FPORT from www.foundstone.com to help
you isolate what it is.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Steven L Umbach]

Check your firewall logs for what is going on. You may need to configure a
rule/policy and then audit it but it should give you an idea what is going including
IP and port destination/source unless you are using a basic NAT router with real
basic logging capabilities. Ideally you want your firewall to also block all outbound
traffic by default and then configure a rule for authorized outbound traffic. I also
like to use TCPView to monitor port connections on a computer and it will map to the
owning process in a nice GUI.--- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

 

[Ace Fekay [MVP]]

In

Check your firewall logs for what is going on. You may need to
configure a rule/policy and then audit it but it should give you an
idea what is going including IP and port destination/source unless
you are using a basic NAT router with real basic logging
capabilities. Ideally you want your firewall to also block all
outbound traffic by default and then configure a rule for authorized
outbound traffic. I also like to use TCPView to monitor port
connections on a computer and it will map to the owning process in a
nice GUI.--- Steve

That seems easier to use than fport.

Ace

 

[Steven L Umbach]

In

Hi Ace.

I assume you mean TCPView? Yeah it is nice and it refreshes itself. Fport is a nice
command line utility and also comes in handy to view remote computers port mapping
while using psexec.exe to view the command line of the remote computer. By the way I
am POed at the BOSS again --- Steve

 

[Ace Fekay [MVP]]

In

Hi Ace.

I assume you mean TCPView? Yeah it is nice and it refreshes itself.
Fport is a nice command line utility and also comes in handy to view
remote computers port mapping while using psexec.exe to view the
command line of the remote computer. By the way I am POed at the BOSS
again --- Steve

I like TCPView. I use psexec too. Nice tool. Helps remotely.

At the Boss again? Now I haven't been keeping up with the latest stuff, what
happened now?

ace

 

[Steven L Umbach]

Well, he is pairing up with likes of the Dixie Dips for a save the world tour as
shown in the link below. --- Steve

http://www.usatoday.com/money/2004-08-05-tour_x.htm

 

[Ace Fekay [MVP]]

In

Well, he is pairing up with likes of the Dixie Dips for a save the
world tour as shown in the link below. --- Steve

http://www.usatoday.com/money/2004-08-05-tour_x.htm

Looks like he jumped on to the political bandwagon. Being a musician, I
would say he should not do that. The Warp Tour was around in the Philly area
and my two daughters went to it and they said it was all anti-Bush. Wasn't
it at one time that a concert was a concert, nothing else?

Ace

 

[Steven L Umbach]

You are a musician? Cool - what do you play? I am not musically inclined/adept. My 22
year old son plays guitar [or used to] and my 17 year old daughter plays violin in
the orchestra in school. My wife paid some pretty good bucks for a clarinet, but it
sits in the closet. Oh well, I can not complain she just graduated from college with
a PharmD degree and is now a Pharmacist.

I don't have a clue what a "Warp Tour" is - I guess I am giving away my age - cough,
cough. I will ask Megan my daughter. I have not been to a concert in ages. I guess
things are changing. It is getting to the point that I don't like to go to some
parties anymore because of the way conversations go. When I go out, I want to have a
good time and relax BUT I can not stand idly by when someone starts spouting off
misinformation. Yikes. --- Steve

 

[Phillip Windell]

parties anymore because of the way conversations go. When I go out, I want to have a
good time and relax BUT I can not stand idly by when someone starts spouting off
misinformation. Yikes. --- Steve

Same here. Those "conversations" in my case usually end up being
"political". I work in the "mainstream media" but am a conservative,...guess
how those conversations go.

 

[Ace Fekay [MVP]]

In

You are a musician? Cool - what do you play? I am not musically
inclined/adept. My 22 year old son plays guitar [or used to] and my
17 year old daughter plays violin in the orchestra in school. My wife
paid some pretty good bucks for a clarinet, but it sits in the
closet. Oh well, I can not complain she just graduated from college
with a PharmD degree and is now a Pharmacist.

I don't have a clue what a "Warp Tour" is - I guess I am giving away
my age - cough, cough. I will ask Megan my daughter. I have not been
to a concert in ages. I guess things are changing. It is getting to
the point that I don't like to go to some parties anymore because of
the way conversations go. When I go out, I want to have a good time
and relax BUT I can not stand idly by when someone starts spouting
off misinformation. Yikes. --- Steve

Oops, sorry, I'm not a musician. Just referring to the Boss. I did play a
little guitar during my younger teens (30+ years ago), but don't remember
anything and would have to start from scratch again. Got my daugher to play
violin for a couple years in elementary school, but she lost interest at 9
and gave it up. She's 15 now.

Actually my mistake, its a "Warped Tour.." I don't think you would want to
go to one of these...
http://encyclopedia.thefreedictionary.com/Warped Tour

I know what you mean, when it turns political, then it takes the fun out of
a concert.

Ace

 

[Ace Fekay [MVP]]

In

Same here. Those "conversations" in my case usually end up being
"political". I work in the "mainstream media" but am a
conservative,...guess how those conversations go.

I agree and would change the subject by asking, "Does anyone want a shot?"
as I'm holding up the Crown Royal bottle!


Ace

 

[Steven L Umbach]

Heh heh. Yeah I guess I would not want to go to one of those and they would probably
not want me either. --- Steve

 

[Steven L Umbach]

Well the upside is you must be good at what you do since they put up with you! ---
Steve

 

[Ace Fekay [MVP]]

In

Heh heh. Yeah I guess I would not want to go to one of those and
they would probably not want me either. --- Steve

Yeah, same here!

 

[Phillip Windell]

It ain't so bad, really. The majority of them are also either conservative
or call themselves "Independents" but actually have conservative beliefs.
One of our main producers is also conservative and isn't afraid to tell you
about it. So I'm in good company most of the time. It is just a matter of
common sense, if people take the time to think things through, it is the
natural outcome.

It just shows you the difference between a *local* news station with news
people who live in the real world vs the national media run by those living
in their ivory towers.

Hmm...I guess this doesn't have much to do with Performance Monitor,....but
hey, we need a break once in a while.

 

[Steven L Umbach]

That is good. At least it does not sound like any guns are being drawn - just enough
to keep things interesting and keep the mind fresh. Real men can disagree and still
have a laugh and a beer together [or rootbeer in my case]. ---Steve

It ain't so bad, really. The majority of them are also either conservative
or call themselves "Independents" but actually have conservative beliefs.
One of our main producers is also conservative and isn't afraid to tell you
about it. So I'm in good company most of the time. It is just a matter of
common sense, if people take the time to think things through, it is the
natural outcome.

It just shows you the difference between a *local* news station with news
people who live in the real world vs the national media run by those living
in their ivory towers.

Hmm...I guess this doesn't have much to do with Performance Monitor,....but
hey, we need a break once in a while.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Well the upside is you must be good at what you do since they put up with you! ---
Steve