Solved

Windows network security : how to know what data I am sending and Where ? + anti hacking intrusion services

Posted on 2003-11-03
7
232 Views
Last Modified: 2013-12-04
Hello all,

I am on windows XP home, and am using the XP firewall.

I'm using a peer to peer program (emule) and an internet traffic monitor (networx).
It looks like the outgoing traffic is much more important than the one I authorize (I've capped it at 7kbytes in emule, and it shows 15 in Nteworx). I'm not doing any other thing Internet related.

I have already conducted an extensive virus scan to look for possible troyans or other backdoors, with no result.

I wonder if there really is additional traffic, if yes, what is this overhead traffic and where it goes. I would like to know if there is a simple program to determine what files I am sending and to what IP address.

Thanks if you can point me to a good (and simple) program for doing that. If that program has anti hacking services included, even better.

best regards,

Fabrice
0
Comment
Question by:fabricedeparis
7 Comments
 
LVL 3

Expert Comment

by:nonsence
ID: 9672614
here's a nice simple to use program that does the job and is free for windows

http://download.com.com/3000-2085-10062969.html?part=65960%20&subj=dlpage&tag=button

it doesn't capture data or anything. just shows what's open, what file is accessing hte internet and what ip it's connected to on what port, etc etc. all in a one window graph. it's great
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9675825
I use a free program called Vision from Foundstone for this network analysis.
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/vision.htm

This also shows you what IPs are connecting to your system ,what ports and what programs - it also allows you to terminate any unwanted critters ;)
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9678255
> how to know what data I am sending and Where ? + anti hacking intrusion services

The first step is to install and run ZoneAlarm firewall (or Sygate). Block everything. Now:

simply watch what is attempted for being sent.  For free, you do get the destination and the process, port, but not the files.  Traffic is about more than files, but if you get the first few pieces, you can find more. Especially important if not permitted (which is purpose of ZA, to stop the unpermitted).
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Author Comment

by:fabricedeparis
ID: 9754613
Hi there,

I've made several tests, and I'm a little nonplussed. I've tried the different portscanners suggested, very simple to use, not that easy to understand. So i didn't make much of that intel. Only that

So I came back to simple testing. If I stop my peer to peer service (emule) the upload rate nearly instantaneously falls down to under 2kb/s. So it seems that if there is haemorragy somewhere that's where it happens. This is confirmed by the port scanner.
However inside emule, as I mentioned, i never go above 7kb/s with an average around 5.

If I try an FTP upload without emule, on my provider FTP, I get around 8kb/s average, with a max at 10.

I'm starting to suspect that it could simply be a combination emule using a lot of upload traffic for "additional" tasks (whatever those can be, setting up connection, etc...) and reporting only on the main tasks (exchanging files), and a current poor performance of my ISP in terms of upload capacity.

For Sunbow : I already use XP firewall. I can install ZA, but I don't see what else it would teach me since stopping emule seems to stop outgoing traffic, and I am a little cautious with firewall installations since last time I tested another, (the firewall from Ontrack systemsuite) it simply rebooted my system each time it started (at boot).

Anyway, I just leave this topic open a little more in case someone can prove the following statement wrong :

it seems there is no simple way of knowing what is the source (file) of the data that is being sent, but only where you send it,through what port and via what application. Maybe through the use of packet sniffers or that sort of tool can you know what the data sent really is (especially if it comes from a specific file, and not from an application tunneling it), but those tools seem fairly difficult to use to me.

Anyone got a better view on this ?

Cheers,

Fabrice

PS : just for mentioning in case it interests someone dropping on this topic  in the future, I also tested DiamondCS Port explorer, which isn't freeware but gives more advanced possibilities than active ports (like integrated packet sniffer, socket spy, and the quantity of data sent by each process). also, for the paranoid with a lot of time to learn a new tool, i could advise to look at Snort (www.snort.org). Open Source Network Intrusion Detection System. Very interesting features, but far too complicated (command line option type) for me though :p
0
 

Accepted Solution

by:
isamu_2000 earned 100 total points
ID: 10456813
I think the simple answer to this is that emule is using the bandwidth to maintain connection to the servers and also to fulfill search request reponses (since there is no way to disable the upload function in emule/edonkey).
0
 
LVL 1

Author Comment

by:fabricedeparis
ID: 11423582
Sorry for forgetting that question. Yes, in the end it was just emule overhead bandwidth consumption. It went down drastically with a new version of emule. Well, I lernet how to use a port scanner at leat :)

Thanks Isamu, and cheers everyone,

Fabrice
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now