Monitoring internet traffic..

Sorry, I was trying to be amusing in my last post. I had forgotten that I was born without a sense of humor.

But seriously, from my recollection, Wireshark didn't list the process ID and data rates for each port, etc. I could be mistaken or perhaps its been updated in the years since I've tried it. Correct me if I'm wrong.

 

Wireshark, as a packet sniffer, is able to go into 'promiscous' mode, where it can sniff packets on the entire network node. Packet sniffers, in my experience, are much too intesive for use everyday, on a normal machine. What seperates a firewall from a packet sniffer? I used to know, but never found the need to use that knowledge so it has gone by the wayside. A packet sniffer has it's place, but for all the time use, it is a pretty excessive approach.

I guess it depends on how often you want to know what is going on. You could just grab a copy of openports, it is still floating around, and it does UDP endpoint address mapping, and can log into a text file. I built a program once used a few different tools, including openports, tcpview, tdimon and wireshark. Its purpose was to display/log the goings on of the NIC, and create host file entrier or whatever your needs were from the data.

A firewall is much more efficient IMO.

Sul.

 

Hi.. Yes, I have read through this and tried it.. it's the first monitor I have managed to get to work properly, as in provide useful info..

It is actually providing similar information to the firewall log (the firewall logs obviously show all blocked and other info as well), except that SmartSniff does not provide "outbound" bytes on data size, and that is whether using RawSockets or Winpcap. Neither data capture option provides me with the application / process involved at all (even though there is a column for the process), whereas the firewall does..

However.... On this particlular set up, it caused my firewall packet log to have a bit of a panic attack..!! I did actually think I had come under attack, looking at the profile of the blocks - regular and repeated blocks (>1,000) from the same outside addresses against a sequence of - or the same - internal ports.... until I realised the attack addresses were the same IP's at exactly the same time that SmartSniff was collecting info.. Another clue was that the firewall wasn't shouting while this was happening, it was just "saving up a scare" for when I next looked at the packet log..!! You live and learn... and it seems to do it irrespective of the SmartSniff capture method as well, rawsockets or winpcap...

Thx for the rec.. I may look at this some more - and as you say it is a free tool, but suspect that on this particular machine it's "either / or" as regards the firewall..

 

Have you tried the above configuration, directly from their website. The processes weren't capturing for me either until I did this. It's a little confusing because you can still add the columns for the processes through another method, but they won't capture until you go to 'Advanced Options' and activate it.

 

Toggle the "Display Outgoing/Incoming Data" option. It will give you outgoing and incoming total bytes.

Possibly you've actually messed around with the options and it's just not working on your system for some reason. But my guess is you haven't tried all the options.

 

Hi.. Yes, I tried that..

and that..

possibly - I do like to "play" after loading something new.. I think I went through most possibilities...

I guess not all systems will always be amenable to everyone every day of the week.. even though I think I probably have a fairly standard Vista SP1 box here.. Something somewhere is possibly causing a minor conflict of some sort, maybe the mobile broadband toggle / not sure..

 

I stand corrected. I'm using XP SP2 32-bit, and it's working perfectly for me.

Good luck finding something that works.

 

A packet sniffer will have the ability to look not just at the packet headers, but also at the payload of each packet. In other words, to "sniff" exactly what is being transferred (provided that you have the ability to interpret the info). For example, Acrobat Reader will connect out on every startup. If you wish to know why, use a packet sniffer
_______________________

I am surprised no one has mentioned Colasoft products (whose forums are hosted here on Wilders). If you have serious intentions to monitor your traffic, by protocols and endpoints, I have not yet seen a better tool. Just take a look at these screenshots, they should be self-explanatory.

The info may be an overkill for most, and the software isn't cheap (as it is mainly aimed at corporate users), but I thought it would be good to mention it, perhaps just as a reference.