Suspicious network activity

[Guest]

Hi,

I notice since several days that there is a low level network activity going
on over my LAN ethernet card. I noticed that recently when my
WindowTaskManager/Networking display was open and NO applications were
running. Same thing right after reboot. The activity is low - it takes up
0.01% of my 10Mbps bandwidth, but nontheless noticable and suspicious. Most
on the communication is incoming, Inboud/Outbound=6/1.
1) Is there any utility with which one can see what executables are
communicating (on packet or byte level) with the internet?
2) Is there any utility with which one can see what the IP address is of the
device which tries to communicate with my computer?
3) Could it be that it is the ethernet card itself that is communicating
with the kabel modem or the network provider and not any executables from my
drive?

I did not had that quiet and low-level communication before. It looks
suspicious.

Thanks, Johan

 

[Chuck]

Hi,

I notice since several days that there is a low level network activity going
on over my LAN ethernet card. I noticed that recently when my
WindowTaskManager/Networking display was open and NO applications were
running. Same thing right after reboot. The activity is low - it takes up
0.01% of my 10Mbps bandwidth, but nontheless noticable and suspicious. Most
on the communication is incoming, Inboud/Outbound=6/1.
1) Is there any utility with which one can see what executables are
communicating (on packet or byte level) with the internet?
2) Is there any utility with which one can see what the IP address is of the
device which tries to communicate with my computer?
3) Could it be that it is the ethernet card itself that is communicating
with the kabel modem or the network provider and not any executables from my
drive?

I did not had that quiet and low-level communication before. It looks
suspicious.

Thanks, Johan

Johan,

Two possibilities to help you are TCPView (free, easy to install) from
<http://www.sysinternals.com/ntw2k/source/tcpview.shtml>, and Port Explorer
(free, requires system reboot) from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home>. Port Explorer
Pro (not free, but worth the cost) even includes a simple packet analyser.

You might want to sign up for DShield <http://www.dshield.org//port_report.php>
and / or MyNetWatchman <http://www.mynetwatchman.com/default.asp> (both free),
that aggregate your intrusion observations with thousands of others like yours,
and let you see if your observations are unique, or simply background noise.
Both DShield and MyNetWatchman can even pick up automated observations from
specific firewalls or intrusion detectors, and forward the observation to their
database.

 

[josepe]

Try the cmd command: netstat
This display a simple list of the TCP activity.

 

[Guest]

Hi,
I just tried that command, then there is a black cmd-window that pops up
with a list of something but the cmd-window closes immediately. Why does is
that?
johan

 

[FredP]

Sounds like you're running netstat from the 'Run' command. Go to
'Start', 'Run', type in 'CMD' (w/o the quotes) to open the command
window. THEN, type in 'netstat'.