Re: Is There A Free Program That Logs Internet Transactions?

[Jeff B]

jim evans wrote:
> If this isn't the best place to ask this please point me to the
> appropriate group.
>
> There are so many programs in the bowels of XP that are constantly
> accessing or being accessed by the internet it worries me. I would
> like to know which programs are doing this. Is there a free (or
> cheap) program that logs all these exchanges with the identity of the
> program on my computer that's involved with the exchange?
>
> jim

you need a firewall that performs logging.
mine (Norton NIS) allows rules to Permit,Deny, & Monitor.
The Monitor rules says 'log the contact and continue with the next rule'

when investigating web access, I enable the rule that says
monitor all outbound ports remote ports 80,443,8080,8081,110,143,25 tcp
there's more than enough to keep you reading ...

the connection log looks like
you'll not only see things you expect:
www.microsoft.com(207.46.199.30): http(80).
download.microsoft.com(207.46.253.62): http(80).
mail.adelphia.net(68.168.78.100): pop3(110).
68.111.16.30: domain(53).
up also the tracking and cookie stuff:
img.microsoft.com(209.18.34.103): http(80).
red.as-us.falkag.net(66.150.87.2): http(80).
ziffdavisglobal.112.2o7.net(216.52.17.216): http(80).

the firewall logs programs
Remote address,service is(mail.adelphia.net(68.168.78.100),pop3(110)).
Process "C:\Program Files\Common Files\SymantecShared\ccApp.exe".
Remote address,service is (24.48.217.227,domain(53)).
Process name is "C:\Program Files\Mozilla Firefox\firefox.exe".

--
---
Jeff B (remove the No-Spam to reply)

[Wayne]

There's a couple of ways to do this.
1. type "netstat -a -o" (don't type the "") the output will show a number of
columns, "local address" "foreign address" etc. Look at the one headed
"PID". Now, open XP's Task Manager, click on the Processes tab. Then, click
on View - Slect Columns and select PID (process identifier). Comparing at
the PID from the netstat output with the PID from Task Manager you can see
which executable is being used for each connection.
2. Download a freeware program called Active Ports from
http://www.protect-me.com/freeware.html

Wayne McGlinn
Brisbane, Oz

"jim evans" <jimsTAKE...@houston.rr.com> wrote in message
news:k8das1dso3ouahhdt...@4ax.com...

[SyNko]

But ICMP protocol it's not traked in this way. isn't true?

[Ric]

On Wed, 11 Jan 2006 10:58:34 -0600, jim evans
<jimsTAKE...@houston.rr.com> wrote:

>If this isn't the best place to ask this please point me to the
>appropriate group.
>
>There are so many programs in the bowels of XP that are constantly
>accessing or being accessed by the internet it worries me. I would
>like to know which programs are doing this. Is there a free (or
>cheap) program that logs all these exchanges with the identity of the
>program on my computer that's involved with the exchange?
>
>jim

http://support.microsoft.com/kb/837243
<http://www.microsoft.com/downloads/details.aspx?FamilyID=69BA779B-BAE9-4243-B9D6-63E62B4BCD2E&displaylang=en>

"Overview
Port Reporter logs TCP and UDP port activity on a local Windows
system. Port Reporter is a small application that runs as a service on
Windows 2000, Windows XP, and Windows Server 2003.

On Windows XP and Windows Server 2003 this service is able to log
which ports are used, which process is using the port, if the process
is a service, which modules the process has loaded and which user
account is running the process."

Ric

[Volker Birk]

jim evans <jimsTAKE...@houston.rr.com> wrote:
> There are so many programs in the bowels of XP that are constantly
> accessing or being accessed by the internet it worries me. I would
> like to know which programs are doing this.

http://www.sysinternals.com/Utilities/TdiMon.html

Yours,
VB.
--
maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo
perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis
decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso.
lista sic hoc recidementum nextum cis vannementa da listis. cis.

[Moe Trin]

On 11 Jan 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1137026184....@g14g2000cwa.googlegroups.com>, SyNko wrote:

[use of windoze 'netstat' command]

>But ICMP protocol it's not traked in this way. isn't true?

http://www.iana.org/assignments/icmp-parameters

0792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)

http://www.ietf.org/rfc/rfc0792.txt
http://www.faqs.org/rfcs/rfc0792.html
http://www.rfc-editor.org/rfc/rfc0792.txt
http://www.ccd.bnl.gov/network/general/rfc0792.html
http://www.cis.ohio-state.edu/htbin/rfc/rfc0792.html

There's nothing to "track". ICMP has a number of possibilities, but it
boils down to "ping" (ICMP type 8 requests, type 0 reply), and "error"
messages (ICMP type 3 - "Destination Unreachable" and ICMP type 11 -
"Time Exceeded" used by TRACERT.EXE or the original "traceroute"). The
ICMP type 5 (Redirect) is so easily abused as a "Denial Of Service" ploy
that nearly all operating systems ignore it.

ICMP does not use port numbers (the numbers your toy firewall shows as
source and destination port numbers are actually the "ICMP type" and
"ICMP code" values).

If you see an ICMP error packet, it has enough information inside the
packet for your computer to understand. You try to connect to some idiot's
web page and mis-type the hostname - and this other host isn't running a
web server. It will send back an ICMP packet that says "you said 'connect
to the web server here' but there is no web server". Or maybe there is
no host - a router will send back a similar "you said 'connect to the web
server at MUMBLE.FUMBLE.FOO' but I can't find that host".

ICMP has no conversations. It has only answers.

Old guy

[Duane Arnold]

"jim evans" <jimsTAKE...@houston.rr.com> wrote in message
news:k8das1dso3ouahhdt...@4ax.com...

> If this isn't the best place to ask this please point me to the
> appropriate group.
>

> There are so many programs in the bowels of XP that are constantly
> accessing or being accessed by the internet it worries me. I would

> like to know which programs are doing this. Is there a free (or
> cheap) program that logs all these exchanges with the identity of the
> program on my computer that's involved with the exchange?
>

Each one of the programs in the link are free.

Long

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

Duane :)

[SyNko]

>CMP has no conversations. It has only answers.

Yes, but it could be used like tcp or udp. Its safe to block it or
track it everytime.

If i have installed a package into one lan pc, i can use this from the
outside and the firewall sucks

[Moe Trin]

On 13 Jan 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1137152487.5...@g49g2000cwa.googlegroups.com>, SyNko wrote:

>>CMP has no conversations. It has only answers.

[ICMP has...]

>Yes, but it could be used like tcp or udp. Its safe to block it or
>track it everytime.

If you wish, you can block ICMP Type 0 outbound and type 8 inbound
to prevent others from 'pinging' you.

If you wish, you can block ICMP Type 0 and 8 completely to prevent
ping completely, which will also block the windoze version of TRACERT.

If you wish, you can block ICMP Type 3 outbound, and see a slight
traffic increase when outsiders try to contact you.

If you wish, you can block ICMP Type 3 completely, and see an increase
in traffic. This will also cause long delays when you make typing errors.

If you wish, you can block ICMP Type 11 if you don't use TRACERT.

You can block all _OTHER_ types, as they are rarely used, or are not
assigned to any service. But no matter, there is nothing to track.

>If i have installed a package into one lan pc, i can use this from the
>outside and the firewall sucks

This is not understandable.

Old guy