|
| View previous topic :: View next topic |
| Author |
Message |
Eddy
Guest
|
 Posted: Wed Feb 27, 2008 6:19 pm Post subject: How does one track down services that generate traffic? |
 |
|
Process Monitor only shows the top process id which is svchost. I guess
Svchost represents any number of services, any of which can be generating ip
traffic.
The question is how does one zero in on the culprit service? |
|
| Back to top |
|
 |
Google
Sponsor
|
| Posted: Wed Feb 27, 2008 6:19 pm Post subject: Advertisement |
|
|
|
|
| Back to top |
|
|
Chuck [MVP]
Guest
|
| Posted: Thu Feb 28, 2008 1:57 am Post subject: Re: How does one track down services that generate traffic? |
|
|
On Wed, 27 Feb 2008 10:19:08 -0800, Eddy <Eddy@discussions.microsoft.com> wrote:
| Quote: | Process Monitor only shows the top process id which is svchost. I guess
Svchost represents any number of services, any of which can be generating ip
traffic.
The question is how does one zero in on the culprit service?
|
I start with Process Explorer from Microsoft (SysInternals).
<http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer>
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer
There, you find the Svchost instance in question, look under Services, and find
a list of what services are involved. And under TCP/IP, make a note of the
connections and their details. Pass the details here.
--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org. |
|
| Back to top |
|
|
Eddy
Guest
|
| Posted: Thu Feb 28, 2008 11:37 pm Post subject: Re: How does one track down services that generate traffic? |
|
|
Of course the tcp values are constantly changing as the port number
increases, usually by one. Port 1457 below is chosen at random. The port
numbers seem to cycle between 1000 and 4000 apprx. Thanks for looking at it.
Prtcl---Local ---Remote ---State
TCP---hpw01.mshome:1457---192.168.0.1:5678---ESTABLISHED
TCP---hpw01.mshome:1458---192.168.0.1:5678---ESTABLISHED
UDP---hpw01:9909---*.*
UDP---hpw01:1042---*.*
UDP---hpw01:ntp---*.*
UDP---hpw01:mshome:ntp---*.*
"Chuck [MVP]" wrote:
| Quote: | On Wed, 27 Feb 2008 10:19:08 -0800, Eddy <Eddy@discussions.microsoft.com> wrote:
Process Monitor only shows the top process id which is svchost. I guess
Svchost represents any number of services, any of which can be generating ip
traffic.
The question is how does one zero in on the culprit service?
I start with Process Explorer from Microsoft (SysInternals).
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer
There, you find the Svchost instance in question, look under Services, and find
a list of what services are involved. And under TCP/IP, make a note of the
connections and their details. Pass the details here.
--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.
|
|
|
| Back to top |
|
|
Chuck [MVP]
Guest
|
| Posted: Fri Feb 29, 2008 7:43 pm Post subject: Re: How does one track down services that generate traffic? |
|
|
On Thu, 28 Feb 2008 15:37:01 -0800, Eddy <Eddy@discussions.microsoft.com> wrote:
| Quote: | "Chuck [MVP]" wrote:
On Wed, 27 Feb 2008 10:19:08 -0800, Eddy <Eddy@discussions.microsoft.com> wrote:
Process Monitor only shows the top process id which is svchost. I guess
Svchost represents any number of services, any of which can be generating ip
traffic.
The question is how does one zero in on the culprit service?
I start with Process Explorer from Microsoft (SysInternals).
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer
There, you find the Svchost instance in question, look under Services, and find
a list of what services are involved. And under TCP/IP, make a note of the
connections and their details. Pass the details here.
Of course the tcp values are constantly changing as the port number
increases, usually by one. Port 1457 below is chosen at random. The port
numbers seem to cycle between 1000 and 4000 apprx. Thanks for looking at it.
Prtcl---Local ---Remote ---State
TCP---hpw01.mshome:1457---192.168.0.1:5678---ESTABLISHED
TCP---hpw01.mshome:1458---192.168.0.1:5678---ESTABLISHED
UDP---hpw01:9909---*.*
UDP---hpw01:1042---*.*
UDP---hpw01:ntp---*.*
UDP---hpw01:mshome:ntp---*.*
|
What about the Svchost instance? What services are listed?
Here's RRAC - Port 5678:
<http://www.google.com/search?hl=en&q=rrac+port+5678&btnG=Google+Search>
http://www.google.com/search?hl=en&q=rrac+port+5678&btnG=Google+Search
<http://www.auditmypc.com/port/udp-port-5678.asp>
http://www.auditmypc.com/port/udp-port-5678.asp
What is "192.168.0.1" - a router, or a computer running ICS?
--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
