Monitoring internet traffic..

How do I effectively monitor information to and from the computer (ie internet traffic etc)..

What I would like is a simple log continually updated that I can come back to and look at in detail later, preferably through a pretty GUI or alternatively through a dump to Excel. I would like details of the applications initiating or dealing with the connection, with volumes sent / received for each, along with ports and protocols etc.

I am using Vista Business SP1 and using the Vista F/W (inbound only).. What I am trying to do with the above is simply understand better where (by application / port / protocol etc) traffic is entering and leaving the computer from, and how much traffic (ie bytes). I am not trying to look at the specific detail of what is transferred from A to B, just understand what is taking place (and volumes).

Resource Monitor (Network) gives a good summary, a one minute live snapshot of connections and bytes, which I always keep open, but if I am outside the one minute window covered by the stats, I lose what it is reporting.

The Vista firewall log does not provide details of traffic volumes, nor does it provide names for known IP addresses or the application initiating the connections etc.. It also reports every single action - rather than grouping (or being able to summarise) actions that are part of the same process (which is what Resource Monitor seems to achieve).

I have briefly looked at the trial versions of X-Netstat Pro (would not show bytes in and out at all for the connections listed, even after downloading winpcap and switching Sniffer on, when it then struggled to find an adapter?) and Network Traffic Monitor (would not start, as it could not locate any network adapters at all), and IP Traffic Monitor (worked partially but would not allow Resource Monitor to work whilst it was running). I am using a mobile broadband toggle connected to a USB to get to the internet for this purpose..

An alternative approach might be an outbound firewall and simply controlling what is allowed, but initially this is more concerned with getting a better understanding of what is happening - rather than trying to control it.

Is there any product that people can recommend in that context? Or alternatively - is there an idiot proof way of getting Resource Monitor to collect a data log of the info I am looking for (ie extended for ports / protocol etc) that I can later then interrogate on screen or dump into Excel (so that I can sort / drill / eliminate etc).. or is a third party firewall (in allow mode for outbound) with good logging facilities a possible route..

Any thoughts at all..??

 

I've been using AppRanger recently, not the live behaviour monitoring, or the sandbox application, mainly just its scanning and logging features.

I know if you use Internet Explorer, it has some great logging features of each day. See a whole '20 seconds' of browsing with internet explorer. Otherwise has a calendar where you select and view your browsing for each day.



Otherwise, it's general logging shows which application is starting, and when. This is useful in seeing which application is trying to make an outbound connection, trying to update and so on. I've been able to remove a number of applications that were either updating/executing in the background.



Also shows system changes on a day to day basis.



Might not be what you're after, but could be of some use.

 

Yes, this is a nice thing to have but not so easy to get. I have tried different ways, but still the best way I have found is to use an older version of Outpost v2-4. In the file preset.lst you create 2 basic rules, allow and deny. Delete everything else. Then start outpost. If you are in rules wizard, when a new application starts, you then have 2 options, allow or deny. Or you can leave it in allow most where it only blocks things that are specifically blocked. In this manner, you don't have to create much in way of firewall rules. But, you do get access to all logs, and outpost provides some nice logs. On XP the WFW does log, but not the best logs. I think Window Firewall Log Viewer is the program I used to use to look at them, but still they are rudementary.

If you router logs traffic you might be able to use a few different router log viewer programs to see what is leaving the router, or what ports are being hit inbound. Not as effective as using outpost either.

I know of no way other than a firewall to get really good logs.

HTH.

Sul.

 

You are absolutely right - I can see how it might be useful (especially re software trying to do its own update thing!), though, as you indicate, the log reporting would seem to be a small part of the functionality that I might be using..

If I am reading it correctly, it looks as if the logging might appear focused more towards the applications that are running rather than the internet activity taking place (its primary focus)..?

 

Yes, it does (help) and thanks..

The "nice thing to have but not so easy to get" was instinctively where I could sense this might head, from my searches on this - but was hoping it wouldn't...

The third party firewall does have an advantage in that I can combine looking at this further with also subsequently locking things down in the F/W, if I then want to go down that route.. And if doing that, Outpost is also pretty good as a F/W.. Is there anything special about the functionality of v2-4 versus 2009 in that context, particularly wrt logging? I haven't tried this yet, but would assume (from the details on the web site) that 2009 would be just as capable (on that front)?

Unfortunately, I'm not using a router (it's a mobile broadband toggle on a USB connection) - yes, I remember seeing one or two interesting possibilities with router logging as I was looking through this...

I must admit I can't help feeling there should be other straightforward possibilities - and without going OTT..!? After all, if Resource Monitor (as part of Windows) can have a partial stab at this in live mode..!! (or prerhaps I haven't followed through the significance of something above specifically re v2-4??)..

 

pbw3, you're right with the program focussing on programs trying to launch.

But it has the ability where you can double-click and gather more information on the file, or under the 'system state changes' log, you can remove the file.

See this post where I noticed a previously installed AV had a component remaining to update, or initiate the task scheduler.
https://www.wilderssecurity.com/showpost.php?p=1538717&postcount=134

Also has a lockdown feature where only installed applications can run, everything else will be blocked. You can turn on-off lockdown at the click of a button.

Without going too far off topic, there is another program to measure actual internet traffic, per day, per week.

http://www.portablefreeware.com/index.php?id=1489#comments



It's the only program I've found which actually monitors a 'wireless' connection. All the other programs sit silent.

I don't think I'm helping your original request, but if you find something suitable, let us know how it goes. I guess with both programs I mentioned at the same time, you could see what is launching, and how much bandwidth is being used.

 

I have looked a lot for such a program to merely show what has been happening. Maybe the fw in vista/7 can produce some logs that are decent, I don't know.

Many firewalls are good products, each with thier devoted following. I guess I can't really knock any of them as I personally feel people choose software based on how they can navigate and understand it rather than if it is "best". For me, older outpost fw had a relatively simple UI, fairly light resources. It was the fastest and most logical for me. Newer programs IMO are almost always 'loaded' with options and tools, and are just feeling 'bloated' to me.

The biggest reason I like older outpost though is because of the use of the preset.lst file. In it, you can make your own customizations so that when a new program is needing rules, your custom rules can be added to the default list, or as i suggested, you only see your options.

If you need to make many rules in a firewall, older outpost works, newer works, other products work, they all can supply logs. If you only want logs, older outpost has the advantage of being 'probably' lighter on resources but also easily set to still let you have control over whether a program is allowed online or not, in a very easy 'allow or deny' default choise.

Sul.

 

I didn't realise that. Actually, my mobile broadband toggle has a simple log for monitoring total bandwidth, which is consistent with the real time info in Task Manager Networking (& Resource Monitor), so I am reasonably happy that the totals are monitored (ie whatever their form - cable versus mobile etc)..

That would work.. - but I can't see how to get there, even assuming it exists..

Understand and completely agree.. like most things, it's what you do with a product that usually counts for a lot more than the tool itself (a camera is a perfect example)..

OK - I understand - re Outpost v2 etc...

Thinking about this further, if I am looking to marry up all network traffic activity to the applications initiating that traffic, then I guess an application firewall logically is the obvious answer to this.. although that still leaves me wondering why the three products I looked at above (in the original post) would not work as expected, as I am guessing they were accessing the same places..

I will look at this further and, if no other options, I think I may lean towards the third party firewall.. Even though I was primarily looking for a monitoring tool, it does make sense, particularly if I then want to change things as a result of that monitoring..

Many thanks again to you both for your help on this..

Peter

 

ProcNetMonitor by SecurityXploded: http://securityxploded.com/procnetmonitor.php Process Network Port Monitoring Tool renovated, with 'Port Finder' feature.


P.

 

i always used to use Port Reporter, nick s showed it to me in this thread -
https://www.wilderssecurity.com/showthread.php?t=61319
http://www.microsoft.com/downloads/...9b-bae9-4243-b9d6-63e62b4bcd2e&displaylang=en


i used it with xtail to watch it in real time if i wanted
http://www.xymantix.com/programs/xtail.html

and DeskPins to keep xtail 'always on top'
http://users.forthnet.gr/pat/efotinis/programs/deskpins.html

i just looked up Port Reporter and saw the Port Reporter Parser tool that can be used with the logs to make reading the logs easier -
http://support.microsoft.com/kb/884289

Availability and description of the Port Reporter tool
http://support.microsoft.com/kb/837243

i found a PDF that shows what the logs look like as well as the parser tool, which i think uses .net
PortReporter.pdf

 

Not sure if you found something suitable, but i was browsing BitsduJour.com and saw something coming up on the 25th.

IP Traffic Monitor and here's the screenshots.

In the history tab (3rd and 4th) screenshots, you can see options to show days of the month, applications, destination along with the number of connections for each process along with how many MB downloaded and uploaded by it.

Seems to do exactly what you want, anyhow it's down from $39.95 to $9.95 when it goes on sale. It's not a free solution, but seems to be a good solution for the discounted price.

 

IP Traffic Monitor looks like a useful program.

 

Hi.. Have now been trying the firewall route with Outpost.. and have to say the logging in there is exactly (near enough) what I was looking for... I still have to dump to Excel (and do some simple pivots on App / port etc) to make it really useful, but still pretty good overall.. I also quite like the firewall, which was not where I started with regard to this, but as I see more what is coming in and out and from where, I will inevitably want to control it..

Thx for the additional recs - prorootetc & iceni60 - and 1boss1 re IP Traffic Monitor..

I did try IP Traffic Monitor (as per my original post) but couldn't really get it to play properly - wasn't sure if that was partly due to the mobile broadband toggle or some other conflict.. it also wouldn't let Resource Monitor run alongside it at the same time; and I use Resource Monitor (Network) routinely - it's easy to read and follow for a simple "one minute open" live view - and hence was then struggling to check or understand why IP Traff Mon was not reporting things correctly..

iceni60 - the parser tool does seem to provide a similar view to Outpost (looking at the pdf diagram, although I didn't test it, and was also not sure if it was good for Vista), but by then I had already started going down the firewall route, and increasingly, having put some time in looking at Outpost, I am inclined to "stick", as I do quite like the layout / format / control etc.. and it seems to run easily for me without conflicts...

Hope IP Traf Mon works well for others that try it, especially with the discount..

 

Just out of curiosity, which version of Outpost are you using?

Sul.

 

I am trying out the latest one (Pro 2009).. I know you suggested one of the old v2 - v4 versions, but I did a quick look at the evolution table on the Agnitum web site, which indicated that the logging on 2009 should be at least as good as that before - also, I am running Vista and I assumed that the most up to date version would be the most compatible..

Must say that I do like the style and format etc.. I find it all very useable; including the Host Protection part which I thought originally I might just switch off, but even say on maximum, after some initial chatter, it quietens down very quickly.. In a perfect world, the interface on the GUI logs might be better (ie in that the filtering and sorting functionality is not extensive at all), but given how easy it is to dump usable historical analysis into Excel, I'm actually being quite picky..!!

 

I liked the simplicity of the older versions, but I just thought the logs were better in them is why I mentioned it. The new Outpost is ok. I don't know why, but Outpost has always made more sense in its layout for me than any other firewall. Most of them work well, but I found others to be more of a hassle to create/modify everything than Outpost.

At least you have your logs. One thing I have never looked at with the newer Outposts is if they still have the preset.lst files. That file is my favorite part of Outpost, because I could modify that will all my rules for my programs, and then on a reinstall I just had to put that file in place and when a program was started, all I had to do was pick it from my preset list.

later.

Sul.

 

Unfortunately, no. The developers were concerned about competition copying their rulesets, so they can no longer be edited in newer versions. I really miss those presets of the older versions.

*Edit*

Jetico ver 2 does have pretty decent, detailed logging and offers the option to create rules directly from log entries with a right-click context menu

 

That explains why I couldn't find them!

Shame, one of the first things I went looking for, in the logs folder when I loaded this, was the one that contained all the rules, because I wanted a simple printable summary that I could then read through and understand, separately from the intricacies of the GUI. With the current version I think you export configuration files from the GUI and then simply import them back later as you need them, but they are not in a notepad type readable format, which would be really great if they were, for comparing them..

The two files in the main program directory, I am guessing are as follows:
1) the personal configuration - the much smaller file: configuration.conf (and .backup), and
2) the initial generic presets - the larger file: _preset.conf

 

Hey Guys I have also been looking for a similar program as long as it is one I dont have to pay for, but it seems that their are not many available that I have found suitable for Vista. Port reporter is built for XP, does anyone know if installing it on Vista with compatibility settings would work ok?

 

In older outpost versions, the configuration was not text, only the presets. I don't know why they got rid of that feature, as it only contained simple presets for things like browsers in general or IE specifically. Every firewall that has presets probably uses about the same setting anyway. The preset.lst file in no way was even updated, it was what it was from the start unless the user modified it. Go figure.

If I ever get the urge to try a new firewall I will see if there isn't SOME way to do this as I don't like having to use a GUI to do stuff that could easily be done in a simple text file.

Sul.

 

SmartSniff should do what you want. It's my favorite network monitoring tool.

http://www.nirsoft.net/utils/smsniff.html

 

Have you tried SmartSniff? As far as I can tell, it does everything you want. The only possible exception is that it doesn't display the process for UDP packets, however it does for TCP packets.

So, basically, it gives you the protocol, the port, and the process. Plus you have the option of capturing the actual data or just the statistics. It seems nearly perfect to me.

Perhaps I should have extolled its virtues in my last post.

 

Wireshark anyone?

 

Never heard of it.

Edit: In all seriousness, I think Wireshark is a more complex tool that may not be as suitable for what the OP asked. Basically, with SmartSniff, it gives everything he/she's asking in the simplest possible package.

I haven't tried Wireshark in a while. Do you know if it lists the processes, data transfer rate, and total data transferred?