What is causing traffic on your computer?
From Phoenix Labs Wiki
Contents |
A How-to guide for analyzing traffic on your computer—A guide for noobs
Written by Anonyblessed
Edited by fox
INTRO
This Guide is written assuming you’re running PeerGuardian 2 and Windows XP. For those of you just starting with PeerGuardian, it may be a little confusing when looking through the logs files. This will give information on determining what is going where and why (or at least the program responsible for it).
PROTECTION PAGE
When you first open (PeerGuardian2) PG2 you’ll see a screen with a tab titled “Protection” highlighted. If you’re connected to the Internet and traffic is being passed, you’ll see a bunch of numbers scrolling down. Each row (left to right) is a packet sometime referred to as a hit. Packets are what PeerGuardian *filters* as in allowing the packet to continue its journey, or if it meets certain conditions PG will give it the business and end its life right there (as in dropping the packet). The columns left-to-right: Time, Range, Source, Destination, Protocol, & Action.
TIME
Time is the time the packet was received sometimes referred to as time-stamp. Range is the wedge of IP addresses that identifies who is using that particular wedge at the time. This is usually fairly static but will change over time.
SOURCE
Source is the IP address of the packet transmitter. Destination is where the packet is going. These numbers are displayed in this format: xxx.xxx.xxx.xxx:yyyyy where x is the IP address and y is the port. Your system’s IP will be one of these (unless you’re acting as a gateway). You can find your IP by going Start>Run>type “cmd”>Enter>type “ipconfig /all”>Enter. Look for the line that says IP address. This address may change frequently if on dial-up however most broadband connections reassign you the same IP periodically. If on broadband, it would be helpful for you to memorize your IP. It will make reading your logs much easier as you won’t have to cross-reference all the time. If your IP appears in the Source field the packet is part of an out-bound connection or an attempt to start one. Destination, obviously, is the opposite of Source and if your IP is in this field it is an inbound connection or attempt to start one.
PROTOCOL
Protocol is the *language*(this is an inaccurate descriptor, I know) the packet is in. Generally you will see either TCP or UDP with a sprinkling of IMCP but this may vary with different networks. A further explanation is beyond the scope of this document.
ACTION
Action is final field and there are only two possibilities—Allow or Block. I’m betting you know what this indicates. If you were thinking Allow will let the packet continue normally and Block drops the packet: you’re right and deserve a piece of chocolate cake. Don’t ask Mom just yet—we still have more work and if you’re paying attention you might get some ice cream with it.
SETTINGS
Next to the “Protection” tab is the “Settings” tab. This is where you configure PG via page 1(back) and page 2(next). On page 1, “History” is the field to watch. You want the “Log allowed connections” enabled meaning you see the check mark. The next field I have mine set to archive and remove every 7 days. You may want a lower interval perhaps every 2 days. The remaining items on this page are up to you. Page 2 has some items you will want to double check. Under the “Startup” field, make sure “Start with Windows” is checked. In the “Updates” field, ensure “Check PeerGuardian”, “Check lists”, & the “Auto update every” are enabled. If you do a lot of p2p’n set your frequency to 1 day. Even if you don’t, you should still do frequent updates. The remaining options customize to your liking.
HISTORY
Now you’re ready to dive into a big pile of fun—logs. I’m not going to address archived logs here. Search the forums for this info. From the PG2 “Protection” click on “View history”. This will bring up a window with three tabs: All, Blocked, Allowed. The “All” tab displays every IP packet that passes in or out of you computer. “Blocked” shows all packets dropped by PG and “Allowed” is a listing of every packet that successfully passed through PG2. Say your curious about what blocks you been getting and why. What do you do next? First you want to do a little research on the external IP address. You can do that here: <http://www.whois.sc/> . This site will give you some background on the IP in question. Information obtained here may or may not be useful. To get the bone-fide good stuff we have to go back to your computer.
PORTS
Your system has a port open to send and receive data. You can determine what port is open locally by looking at the logs. The local port is going to correspond to your local IP. Look at Source and Destination to find your local port on a packet you want to find more info about. Once you have established your local port, you’re ready to track it down. Go to Start>Run>type “cmd”>Enter>type “netstat –ano”>Enter. You may want to maximize this new window for your viewing pleasure. This is a list of the connections your computer currently has open. Columns left-to-right: Proto, Local address, Foreign Address, State, & PID. If you find the juxtaposition with PG2 to be eerie, well it’s just inherent in the system. What you want to do is find the commonality between your IP/port in PG2 and one in this listing. Once you find it, follow the row over to the PID column. PID is Process ID and is how your OS keeps track of applications/processes running (sort of). Remember this number for the next step.
TASK MANAGER
Open up Task Manager. You can do this by right-clicking a blank area in the task bar and selecting it from the list. Alternatively you can search Windows help for a more detailed explanation. Go to the Process tab. Look at the columns listed here. You should see one titled PID. If not, click View>Select Columns…>and check “PID”>OK.
Cross-reference the PID w/ the output of netstat –ano to find the executable responsible for sending/receiving the packet. This method may not work between reboots as PID’s and ports can and do change. If the name of the executable doesn’t provide enough detail for you google it.
You can also look into packet capturing using a program like Ethereal or Analyzer. This will allow looking at the contents of the packet although it may be meaningless to you unless you know how to read it.
