Personal computing discussed

Moderators: Steel, notfred

Darth Gerbil
Topic Author
Posts: 7497
Joined: Sat Apr 24, 2004 7:53 pm
Location: the abyss into which you gaze

Where's the activity coming from?

Sat Jun 05, 2010 2:11 pm

I notice as I'm sitting doing whatever in Windows, the green activity bar in ZoneAlarm starts going crazy with activity. I think this odd, since I'm not downloading anything or surfing the web at the time, and none of the programs that typically do updates (i.e. Steam) are doing anything. To figure things out, I ran TCPView from SysInternals. Unfortunately, TCPView doesn't indicate anything when ZoneAlarm's activity monitor runs green.

What else can I do to figure out what programs or processes are downloading stuff from the Internet?
Sheep Rustlers in the sky! <S> Slapt | <S> FUI | Air Warrior II/III
Grand Admiral Gerbil
Posts: 10211
Joined: Thu Jun 19, 2003 3:11 pm

Re: Where's the activity coming from?

Sat Jun 05, 2010 2:47 pm

It's been a while since I used ZoneAlarm, but doesn't it have options to show more detail about the activity it is reporting?

ProcessExplorer can be configured with per-process IO activity graphs, which may tell you something (since that tracks a lower level than TCP/IP). The Resource Monitor in Windows 7 does something similar but without as much detail AFAIK.
Grand Gerbil Poohbah
Posts: 3659
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: Where's the activity coming from?

Sat Jun 05, 2010 3:10 pm

TCPView should indicate open sessions. Process Explorer is a good tool for locking at statistics, but if you really want to figure out what happens in this case, download and run Process Monitor. What it does is that it captures and can log all events, including treads, profiling, networking, file access, etc. I just about always use Process Explorer and Process Monitor together to figure out what is happening.

If that doesnt cut it, you can always try wireshark to actually capture the packets going out on the network interface. Or what you really should do is actually getting a trace on a monitor port or similar tap upstream of your computer from a known good source, at least if you suspect anything is fishy with your comp. Depending on your router, you might setup a traffic log and check if you open connections that are outside of the ones that process monitor / Tcp view sees.

If its something really bad rootkit or something it can be that it actually burries itself beneth the os and report everything is fine upwards, but depending on your OS, I havent seen to many of those in the wild outside of the demos I got in a lab setting.
Gerbil Jedi
Posts: 1534
Joined: Sat Jun 19, 2004 4:03 pm

Re: Where's the activity coming from?

Mon Jul 12, 2010 9:27 am

Windows 7's Resource Monitor maps activity to processes.
#182 TT: 13/DNVT, Precedence: Flash Override. Switch: Node Center. MSE forever.

Who is online

Users browsing this forum: No registered users and 2 guests