Page 1 of 1

Where's the activity coming from?

Posted: Sat Jun 05, 2010 2:11 pm
by FireGryphon
I notice as I'm sitting doing whatever in Windows, the green activity bar in ZoneAlarm starts going crazy with activity. I think this odd, since I'm not downloading anything or surfing the web at the time, and none of the programs that typically do updates (i.e. Steam) are doing anything. To figure things out, I ran TCPView from SysInternals. Unfortunately, TCPView doesn't indicate anything when ZoneAlarm's activity monitor runs green.

What else can I do to figure out what programs or processes are downloading stuff from the Internet?

Re: Where's the activity coming from?

Posted: Sat Jun 05, 2010 2:47 pm
by UberGerbil
It's been a while since I used ZoneAlarm, but doesn't it have options to show more detail about the activity it is reporting?

ProcessExplorer can be configured with per-process IO activity graphs, which may tell you something (since that tracks a lower level than TCP/IP). The Resource Monitor in Windows 7 does something similar but without as much detail AFAIK.

Re: Where's the activity coming from?

Posted: Sat Jun 05, 2010 3:10 pm
by Aphasia
TCPView should indicate open sessions. Process Explorer is a good tool for locking at statistics, but if you really want to figure out what happens in this case, download and run Process Monitor. What it does is that it captures and can log all events, including treads, profiling, networking, file access, etc. I just about always use Process Explorer and Process Monitor together to figure out what is happening.

If that doesnt cut it, you can always try wireshark to actually capture the packets going out on the network interface. Or what you really should do is actually getting a trace on a monitor port or similar tap upstream of your computer from a known good source, at least if you suspect anything is fishy with your comp. Depending on your router, you might setup a traffic log and check if you open connections that are outside of the ones that process monitor / Tcp view sees.

If its something really bad rootkit or something it can be that it actually burries itself beneth the os and report everything is fine upwards, but depending on your OS, I havent seen to many of those in the wild outside of the demos I got in a lab setting.

Re: Where's the activity coming from?

Posted: Mon Jul 12, 2010 9:27 am
by Contingency
Windows 7's Resource Monitor maps activity to processes.