If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Track Unknown Download Bytes
I connected the network to the internet and noticed through my network
monitor that over 100 mbs had been received and was continuing. I immediately disconnected from the internet. That seems to have stopped it. I need to monitor this on startup. Would like something simple I could start before connecting the internet which would possibly show the program or at least the ip address where this stuff is originating. Have Wireshark but I am looking for something more simple. Autoruns did not help me. I do have the Nirsoft utilities and Sysinternals Suite. There has to be something simple somewhere in these utilities but I am not picking it out. Running WIndows 7 Pro 32 bit. -- Bill Brought to you from Anchorage, Alaska |
#2
|
|||
|
|||
Track Unknown Download Bytes
On 12/4/2016 2:47 PM, Bill Bradshaw wrote:
I connected the network to the internet and noticed through my network monitor that over 100 mbs had been received and was continuing. I immediately disconnected from the internet. That seems to have stopped it. I need to monitor this on startup. Would like something simple I could start before connecting the internet which would possibly show the program or at least the ip address where this stuff is originating. Have Wireshark but I am looking for something more simple. Autoruns did not help me. I do have the Nirsoft utilities and Sysinternals Suite. There has to be something simple somewhere in these utilities but I am not picking it out. Running WIndows 7 Pro 32 bit. If you had W10 then you could just bring up task manager and look at the network column. I don't recall if W7 had a similar capability. |
#3
|
|||
|
|||
Track Unknown Download Bytes
Bill Bradshaw wrote:
I connected the network to the internet and noticed through my network monitor that over 100 mbs had been received and was continuing. I immediately disconnected from the internet. That seems to have stopped it. I need to monitor this on startup. Would like something simple I could start before connecting the internet which would possibly show the program or at least the ip address where this stuff is originating. Have Wireshark but I am looking for something more simple. Autoruns did not help me. I do have the Nirsoft utilities and Sysinternals Suite. There has to be something simple somewhere in these utilities but I am not picking it out. Running WIndows 7 Pro 32 bit. The only thing I know of, is Sysinternals TCPView. That shows executable name and the connection it is making (IPortnum). ******* The closer you get to T=0, the more difficult it becomes. Windows Performance Toolkit uses ETW trace events. It cannot record the network traffic, and all it does is log executable activities. And if you didn't like Wireshark, you won't like this. What this allows you to do, is start a reboot with xbootmgr, and ETW traces everything after T=0, as soon as ETW is running. But if the name of the executable isn't something meaningful, you'll be no further ahead. Black hat materials, for all intents and purposes, will be untraceable. I can set up a dynamic address on the Internet, hide the ownership, use it for Command and Control, and a log of such a communication would be of no use to you. The only way your tracing work will pan out, is if the activity is benign, and the materials and operations are properly labeled. http://al.howardknight.net/msgid.cgi...nt-email.me%3E ******* I think actually Sysinternals Process Monitor can also use ETW on a reboot, and after the reboot, Process Monitor can then be used to review the trace. That's better than the output of WPA related tools. Under Options, is "Enable boot tracing". Give that a try. It may not record enough material after boot, to be really useful. Even with the WPA stuff, you may set the recording for 2 minutes or 20 minutes and find the recording ended before the interval you defined. Services hiding in SVCHOST will be mostly hidden. ETW doesn't tell you which one is doing it. All the SVCHOSTs go by the same name. So if malware were to hide as a service (even some Google add-ons did this), you would be hard-pressed to identify the activity. Using Wireshark/WinPCAP and recording addresses might make more sense with some sort of Google auto-update problem. Paul |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
mp3's spontaniously become zero bytes size | humbll via HWKB.com | Storage (alternative) | 6 | December 14th 06 09:39 PM |
Clone Drive Does Not Have All The Bytes | BobN | Homebuilt PC's | 10 | August 10th 06 07:24 PM |
New 200G hdd shows capacity of 137,427,943,424 bytes | jenny | Homebuilt PC's | 35 | June 11th 05 07:01 PM |
Elaborate Bytes Elby.CloneCD, Elaborate Bytes Elby.CloneDVD, 321Studios.DVDXRescue, 321Studios.GamesXCopy, 321Studios.DVDXCopy.Platinum, 321Studios.321Studios.DVDXCopy.XPRESS, 321Studios.DVDXShow, Blindwrite, CDclone.net Easy.CD.Clone, CloneDVD.net D | code_fu | Cdr | 0 | October 8th 04 09:29 AM |
what is the maximum read bytes /sec on emc | utkanbir | Storage & Hardrives | 1 | June 21st 04 09:30 PM |