detecting transmissions over one's internet connection...

Beestie · 03-31-2004, 11:53 AM

How can one tell what's travelling back and forth over one's internet connection?

Couple of specific examples:

A virus is using my computer to assist in a DDoS attack:

I am receiving streaming audio/video. How can I tell what port the stream is coming in on. My workplace has blocked most streaming media but I am still able to get some from various radio stations but not others. I suspect they are using port blocking of the streaming port (1775???). How can I tell for sure?

A web bug is reporting back to its owner what I'm up to.

Etc.

How can I tell at any given point, what traffic is flowing over my connection (who from, who to, what port, and the amount of data being transmitted - e.g., a trickle or a raging river).

Is there a tool that I can use to help me figure this stuff out??

Elspode · 03-31-2004, 12:04 PM

My home router has a log function that will tell me what port and destination is involved in any data going out or coming in...

dar512 · 03-31-2004, 02:19 PM

Do a google search on win32 sniffer. You'll find stuff. Vague memories tell me that they're a lot of work to set up and interpret.

Might be easier to:

1) Use one of the many available tools to rid yourself of the virus.

2) Look in the app's settings and documentation to see what port they use. Or you can use a software firewall like ZoneAlarm. There's a free version that might do the trick.

3) ZoneAlarm might also give you some of this.

To see the volume of traffic, that's built in to Windows. Right click on My Network Places and choose Properties. Right click on the net connection you are interested in and choose Properties. You should see a checkbox for "Show icon in taskbar when connected". Check this and click ok. You should now see an icon in the taskbar that has two monitors - one behind the other. One screen shows blue when data is being sent the other when data is being received. If they are both constant blue, you have a flood going on.

If you don't have a router protecting your home systems, I recommend getting one, pronto. Also read the stuff over at GRC. The stuff in there and the hardware firewall in the router will keep most of these issues at bay.

You should also update regularly from the microsoft update page. A lot of attacks come as the result of Microsoft publishing a patch. Hackers take a look at the patch, see what it fixes and then write hacks/viruses to abuse systems that don't have the patch yet.

jaguar · 03-31-2004, 02:41 PM

There are some distinctly separate issues here: incoming, outgoing, application-level and packet-level. Each requires do varying degrees different solutions.

For seeing what your computer is spewing out I recommend Zone-alarm. In terms of protection a cheap firewall/router will do the job but a cheap ancient PC (486 will do it) with 2 ethernet cards running Smoothwall, IPcop or something similar will provide a far higher level of protection and easy configuration. Smoothwall et al also provide detailed logging if desired and you can add in a proxy like squid for detailed web traffic info as well.

Nothing will provide an all-in-one instant security and monitoring solution but an IPcop box will give you much of what you need and includes some smarter anti-cracker stuff like Snort.

tw · 03-31-2004, 04:04 PM

Even the command
netstat -a
will report useful information. Also task manager can be used to find those 'illegal' processes that would be collecting information. These require you to learn what is and is not valid.

Scopulus Argentarius · 03-31-2004, 06:46 PM

ETHEREAL - excellent packet sniffer runs on win32 also
You can actually see the raw packets...

google it...

mbpark · 04-01-2004, 10:58 AM

These three tools are your friends.

Nmap runs on Win32, and can tell you what ports you have open.

Fport, another free tools, tells you open ports, and what apps have them open.

Kerio Personal Firewall is a Deny By Default firewall which takes MD5 signatures of the files used to make outgoing connections, and uses that to determine whether to allow changed versions to run or not.

Fport is the best of the 3 for seeing what you have running and opening ports on you.

Mitch

03-31-2004, 11:53 AM	#1
Beestie -◊\|≡·∙■·∙≡\|◊- Join Date: Feb 2003 Location: Parts unknown. Posts: 4,081	detecting transmissions over one's internet connection... How can one tell what's travelling back and forth over one's internet connection? Couple of specific examples: A virus is using my computer to assist in a DDoS attack: I am receiving streaming audio/video. How can I tell what port the stream is coming in on. My workplace has blocked most streaming media but I am still able to get some from various radio stations but not others. I suspect they are using port blocking of the streaming port (1775???). How can I tell for sure? A web bug is reporting back to its owner what I'm up to. Etc. How can I tell at any given point, what traffic is flowing over my connection (who from, who to, what port, and the amount of data being transmitted - e.g., a trickle or a raging river). Is there a tool that I can use to help me figure this stuff out?? __________________ ♠ ♥ ♣ ♦

03-31-2004, 12:04 PM	#2
Elspode When Do I Get Virtual Unreality? Join Date: Dec 2002 Location: Raytown, Missouri Posts: 12,719	My home router has a log function that will tell me what port and destination is involved in any data going out or coming in... __________________ "To those of you who are wearing ties, I think my dad would appreciate it if you took them off." - Robert Moog

03-31-2004, 02:41 PM	#4
jaguar whig Join Date: Apr 2001 Posts: 5,075	There are some distinctly separate issues here: incoming, outgoing, application-level and packet-level. Each requires do varying degrees different solutions. For seeing what your computer is spewing out I recommend Zone-alarm. In terms of protection a cheap firewall/router will do the job but a cheap ancient PC (486 will do it) with 2 ethernet cards running Smoothwall, IPcop or something similar will provide a far higher level of protection and easy configuration. Smoothwall et al also provide detailed logging if desired and you can add in a proxy like squid for detailed web traffic info as well. Nothing will provide an all-in-one instant security and monitoring solution but an IPcop box will give you much of what you need and includes some smarter anti-cracker stuff like Snort. __________________ Good friends, good books and a sleepy conscience: this is the ideal life. - Twain

04-01-2004, 10:58 AM	#7
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	nmap, fport, and Kerio Personal Firewall These three tools are your friends. Nmap runs on Win32, and can tell you what ports you have open. Fport, another free tools, tells you open ports, and what apps have them open. Kerio Personal Firewall is a Deny By Default firewall which takes MD5 signatures of the files used to make outgoing connections, and uses that to determine whether to allow changed versions to run or not. Fport is the best of the 3 for seeing what you have running and opening ports on you. Mitch

03-31-2004, 02:19 PM	#3
dar512 dar512 is now Pete Zicato Join Date: May 2003 Location: Chicago suburb Posts: 4,968	Do a google search on win32 sniffer. You'll find stuff. Vague memories tell me that they're a lot of work to set up and interpret. Might be easier to: 1) Use one of the many available tools to rid yourself of the virus. 2) Look in the app's settings and documentation to see what port they use. Or you can use a software firewall like ZoneAlarm. There's a free version that might do the trick. 3) ZoneAlarm might also give you some of this. To see the volume of traffic, that's built in to Windows. Right click on My Network Places and choose Properties. Right click on the net connection you are interested in and choose Properties. You should see a checkbox for "Show icon in taskbar when connected". Check this and click ok. You should now see an icon in the taskbar that has two monitors - one behind the other. One screen shows blue when data is being sent the other when data is being received. If they are both constant blue, you have a flood going on. If you don't have a router protecting your home systems, I recommend getting one, pronto. Also read the stuff over at GRC. The stuff in there and the hardware firewall in the router will keep most of these issues at bay. You should also update regularly from the microsoft update page. A lot of attacks come as the result of Microsoft publishing a patch. Hackers take a look at the patch, see what it fixes and then write hacks/viruses to abuse systems that don't have the patch yet.

03-31-2004, 04:04 PM	#5
tw Read? I only know how to write. Join Date: Jan 2001 Posts: 11,933	Even the command netstat -a will report useful information. Also task manager can be used to find those 'illegal' processes that would be collecting information. These require you to learn what is and is not valid.

03-31-2004, 06:46 PM	#6
Scopulus Argentarius Your current user title is: Join Date: Oct 2001 Location: BTR Posts: 301	ETHEREAL - excellent packet sniffer runs on win32 also You can actually see the raw packets... google it...

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)