Win7 - tool to display network requests

Discussion in 'other firewalls' started by Sully, Oct 5, 2010.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am looking for a specific tool for win7. I am desiring a program that is much like a firewall, using the drivers in the same way that a firewall would, to monitor net activity.

    As an example, older firewalls used to give a grid type display of what process was holding what open. Programs like tcpview and currports can do this, but not all of them handle UDP endpoint mapping and they all produce effects on the network system - that is they are querying counters like netstat does or are in fact using netstat. I do not want this.

    I have tried every free firewall I can find to use on win7. I don't want a HIPS or any other super duper firewall suite effect. I don't mind using a firewall as long as you can allow all traffic (no rules basically), still see the status in a technical/usable way (very concise view of active connections laid out with enough data for research/experimentation, not just "port is open"), and you can turn it off when not needed. (I mean shut services down, etc). I also don't want to spend an hour RTFM to figure out how to disable all the super duper security features.

    Anyone who has used Outpost v1 would know the type of UI I desire. Just give me maximum real estate to show something like what tcpview does, but with a driver so that the performance levels are maintained.

    I know I am asking for something that does not exist, and I may have to make concessions. I have neutered the firewalls I tried to simply allow anything, but thier status displays are so small or just not providing the data I want. I have built my own tools which do what I want, but they all query the counters and this imposes a performance hit. I don't know how to build firewall type drivers or I would.

    I played with windows firewall a bit, but it just doesn't give any realtime status. Using a script or filter to parse out the log file is ok, but I was hoping for something real time.

    Anyone got any ideas?

    Sul.
     
  2. Pedersen

    Pedersen Registered Member

    Joined:
    May 4, 2010
    Posts:
    234
    Netlimiter 3 pro.

    That the best program i know of :p
     
  3. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Maybe would you find something at
    http://www.netscantools.com/download.html

    Years ago, I used one of their freebies called eStop on Win 98 / XP (or I think it was the name). But If my memories serve me well, it was not monitoring UDP connectoïds... and I am not aware it was ever ported to win 7.

    HTH

    EdiT
    There is also this free "ConnectionGuard" v2.2.9, but I did not use it as yet (btw, does it work on win 7?). I don't have a trustee working link to it!
     

    Attached Files:

    Last edited: Oct 5, 2010
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks. Netlimiter might work. I think I tested that some time ago, but can't remember. The interface looks familiar. I would like to give it a try for net limiting sometime, as I have a particular need.

    I decided to give Outpost v6 a test run, as it is somewhat small resource wise, does show what I want and does give a good log. I simply turned everything off and set it to Allow Most mode. I start it up when I want to see what has transpired, otherwise leave it off. I suppose getting a license from them will be hard since the new version is out. Thats what happened to me last time.

    Ah well, a day late and a dollar short is not always bad.

    P.S. I started going through all 2000+ sourceforge projects. Maybe I will find something worthwhile in there. If WFW would only log the process along with the packet infos, it would work just fine.

    Sul.
     
  5. wat0114

    wat0114 Guest

    As sparviero kindly pointed out, it might work for you :)
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I gave that a try. It is pretty crude, and although it works, I could not get the 'whole' package to do what I wanted. I simply want a tool that when I start it, logs the processes that transmit or recieve data, the port and protocol used, and ideally unique remote IP addresses. I don't want the firewall to prompt me. I don't want to create rules.

    I gave WFW a try but it just doesn't do what I need it to. The events did not show clearly to me what I wanted. It could be that I was doing it incorrectly, but I turned Stems thread into a .pdf and went over it many times.

    The raw packet logs in WFW lag a bit behind real time events, but they would work if they only included the process. As it is I had to resort to a 3rd party tool. Not the way I wanted to do it, but the only way I can see to do it.

    I am trouble shooting a problem that is pretty queer, I believe has to do with IPv6. Actually, UDPv6 packets. I have to fix this issue soon. I am not used to v6 stuff. I have seen many many different topics on how to disable IPv6. I must say, they should have waited a while longer to introduce it if it is not 100% backwards compliant. Turning if off in win7 (which is what I am experimenting/researching with) is turning into an exercise in frustration.

    I am sure to learn something I was not anticipating, so I guess that is a plus of it all.

    Thanks.

    Sul.
     
  7. wat0114

    wat0114 Guest

    If the other suggestions don't fill your specific needs, it may be tough to find something that will. Have you tried Jetico firewall? The logging is quite detailed, and ipv6 can be logged easily enough. Sample portion shown. BTW, the HIPS functionality can be disabled, leaving only the pure firewall modules.

    *EDIT* ipv6 can't be disabled as per attached screenshot?
     

    Attached Files:

    Last edited by a moderator: Oct 7, 2010
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I started with that method. Then moved onto some netsh methods, some reg methods, then removing Teredo adapters (disabling).

    I still find a couple tcpv6 and quite a few udpv6 ports open. I am doing this in vm, so perhaps there is an issue with it.

    Sul.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    From what I gather you can't remove IPv6, you can only disable it. I performed the disabling about 4 ways, and found the ports still open and all sending packets but not recieving any I believe.

    I settled on this method, although I am unhappy that those ports are still held open, I accept that the inclusion of IPv6 is future-proofing things, even if it might cause issues now.

    Code:
    netsh int 6to4 set state disabled
    netsh int isatap set state disabled
    netsh int teredo set state disabled
    Device Manager>show hidden devices
    Network Adapters>Wan Miniport IPv6 > disable

    Reboot.

    Sul.
     
  10. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Windows Firewall with Advanced Security in Windows 7 and Windows Server 2008 R2 support logging/tracing tools: netsh capture ; netsh trace; and so on.

    to start go :

    http://technet.microsoft.com/en-us/library/cc754451(WS.10).aspx

    I believe that with patience u can find everything you can.

    I wish you a very beautiful day...
     
  11. wat0114

    wat0114 Guest

    Disabling it seems to be possible, but removing it may be quite a challenge. After clearing the checkbox for ipv6, I did not see any related packets outgoing in the firewall logs for 15 minutes. That certainly does not prove it's disabled, but it was a huge difference to the numerous ipv6 packets I see with it enabled.
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thank you. I will see what that link has to offer. I would rather use in-built if possible.

    Sul.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Run tcpview. See tcpv6 and udpv6 ports. Outpost shows ports open and will show bytes sent/recieved.

    Disable IPv6 with the method you like. Run tcpview again, see ports are still open. IPv6 is not removed only disabled. I will assume this means the port is open because the service is running, and when a service that uses IPv6 opens a port, it opens both tcp and tcpv6. I don't like it, but for now will live with it.

    Now that you have disabled IPv6, examine your firewall sent/receive logs for those IPv6 ports. On vm and on live machine, tested last night, some IPv6 ports do send data out. I haven't logged any inbound traffic yet, but definately see outbound.

    Have you heard of a tool similar to Windows Worm Doors Cleaner for win7? Or some reg tweaks to manually modify open ports that can be manipulated? Or, perish the thought, to close IPv6 ports.

    Sul.
     
  14. wat0114

    wat0114 Guest

    Okay, I'll try that later Sully. Thanks!
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    An FYI for anyone interested.

    HKLM\System\CurrentControlSet\Services\tcpip6

    Start = 3 (dword)

    Do not set this to 0 (disabled).

    Things go completely haywire. Seems it is bound to tcpip. Seems disabling the service, umm, pretty much borks the tcpip stack. I made the mistake of doing this in my real system rather than vmWare, which I should have tried first. A major major PITA to rectify.

    I have combed the registry to what is likely the best of my ability, and found no way to actually close the ip6 ports. They are open.. period. They may not recieve data, but they sure do transmit it. This is most unsatisfactory. Why send data on a protocol that is disabled? Only reason I can think of is that the data is bound to tcpip, and whatever it sends out also is sent on ip6. I wonder if the data is duplicated at the packet level, or if it is only physically sent once, just so happens on two protocols.

    Ah, a gentle reminder to take precautions. lol.

    Sul.
     
  16. wat0114

    wat0114 Guest

    LOL!...it looks like your computer did something TO you this time :D :p
     
  17. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
  18. wat0114

    wat0114 Guest

    There's this MS link also but even with all ipv6 components (ffffffff) disabled, there's still a lot of ipv6 listening on several local ports.
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Because the ip6 ports are still held open, I cannot tell which setting is correct 0x000000ff or 0xffffffff. There are many websites that say one way works, many the other way. Some say M$ has it wrong, some say they have it right.

    I chose to go the netsh route because I can manipulate it quicker. I really would like to close those port and stop that traffic. Anyone who finds the answer can be King for a Day ;)

    Sul.
     
  20. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    When asked to get more help you need to type the real arguments (such as
    port?, service is listen?, send data?, and so on.), but, no matter.

    If you've disabled all IPv6 instance as it should? (0xffffffff)

    Then do cmd following command:

    netsh rpc add 127.0.0.0

    and reboot
    Now rpc will listen only locally on 127.0.0.1 !

    I wish you a very beautiful day...
     
    Last edited: Oct 9, 2010
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I agree. But do note, I haven't yet brought up help on anything but ipv6 generically, not about ports (yet). It may well be that, as you suggest, there can be many tweaks to individual services/ports. I am still hoping to find a global way to close the ipv6 ports before going down the other routes like you have just shown :)

    Thanks for the infos.

    Sul.
     
  22. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
  23. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    293
  24. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Espresso & henryg - thank you for the links. Those are interesting products that I have downloaded and will be testing.

    Thanks!

    Sul.
     
  25. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    Hi Sully,

    give a try at cFosSpeed.
    The "Current Connections" window display every active connection (protocol, local ip:port, remote ip:port, type of protocol, transmitted bytes, received bytes, transmitted bytes per second, received bytes per second, and total time of the connection).

    Plus, it's logs archive the total transmitted bytes and total received bytes of each app in daily basis. Those logs are used by it's "usage graph" window to provide a graphical display.
    http://www.cfos.de/speed/documentation/graph_e.htm

    Panagiotis
     
Loading...
Thread Status:
Not open for further replies.