network monitoring

Discussion in 'Computer Support' started by Zach, Sep 16, 2007.

  1. Zach

    Zach Guest

    Hi

    I would like a program (i use Windows XP) to monitor all of the
    websites that I visit in real time.

    I really want to know whether malware is accessing specific domains /
    IPs, and I currently have no way of viewing this. What I dont want is
    a tool to "spy" on a computer and monitor websites entered. Instead, I
    need some kind of traffic analysis tool.

    Thanks

    Zach
     
    Zach, Sep 16, 2007
    #1
    1. Advertising

  2. Zach

    why? Guest

    On Sun, 16 Sep 2007 18:07:45 -0000, Zach wrote:

    >Hi
    >
    >I would like a program (i use Windows XP) to monitor all of the
    >websites that I visit in real time.


    Unless it's really vital real time isn't needed.

    >I really want to know whether malware is accessing specific domains /


    Get rid of the malware then you don't need to worry about what it's
    connecting to.

    >IPs, and I currently have no way of viewing this. What I dont want is
    >a tool to "spy" on a computer and monitor websites entered. Instead, I


    That contradicts what you said earlier, - all of the websites against
    don't want a tool ... and monitor websites entered.

    Simple method is running a web browser proxy, you change you browser
    settings to run through the proxy, which logs requests from the browser.

    There are quite a few, try any of the often posted shareware / freeware
    sites mentioned in 24HSHD, search from
    http://groups.google.com/group/24hoursupport.helpdesk/topics
    or
    www.google.com
    for
    windows xp proxy server
    http monitor

    >need some kind of traffic analysis tool.


    No you don't, you need a good AV, antispyware, FW that looks after all
    this for you.

    Look for ntop, various http monitors, simple sniffers, stuff from
    snapfiles.com , iptraf , network probe lite (if still available)

    For traffic, see http://www.wireshark.org/

    Picking a random URL from bookmarks and running the above generates 217
    frames of data when clicking the homepage button (to mozilla home). It's
    very unlikely you need that. It is possible to setup filters of course.

    For a simple GET a URL , the request looks like,

    No. Time Source Destination Protocol
    Info
    1 0.000000 192.168.0.5 63.245.213.12 HTTP
    GET /projects/seamonkey/ HTTP/1.1

    Frame 1 (358 bytes on wire, 358 bytes captured)
    Arrival Time: Sep 16, 2007 22:15:25.508634000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 358 bytes
    Capture Length: 358 bytes
    Protocols in frame: eth:ip:tcp:http
    Coloring Rule Name: Checksum Errors
    Coloring Rule String: edp.checksum_bad==1 || ip.checksum_bad==1 ||
    tcp.checksum_bad || udp.checksum_bad
    Ethernet II, Src: 00:0e:0c:9c:6e:fb (00:0e:0c:9c:6e:fb), Dst:
    00:a0:c5:e4:e9:c4 (00:a0:c5:e4:e9:c4)
    Destination: 00:a0:c5:e4:e9:c4 (00:a0:c5:e4:e9:c4)
    Address: 00:a0:c5:e4:e9:c4 (00:a0:c5:e4:e9:c4)
    .... ...0 .... .... .... .... = Multicast: This is a UNICAST
    frame
    .... ..0. .... .... .... .... = Locally Administrated Address:
    This is a FACTORY DEFAULT address
    Source: 00:0e:0c:9c:6e:fb (00:0e:0c:9c:6e:fb)
    Address: 00:0e:0c:9c:6e:fb (00:0e:0c:9c:6e:fb)
    .... ...0 .... .... .... .... = Multicast: This is a UNICAST
    frame
    .... ..0. .... .... .... .... = Locally Administrated Address:
    This is a FACTORY DEFAULT address
    Type: IP (0x0800)
    Internet Protocol, Src: 192.168.0.5 (192.168.0.5), Dst: 63.245.213.12
    (63.245.213.12)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 344
    Identification: 0x9782 (38786)
    Flags: 0x04 (Don't Fragment)
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0000 [incorrect, should be 0x8c6e]
    Good: False
    Bad : True
    Source: 192.168.0.5 (192.168.0.5)
    Destination: 63.245.213.12 (63.245.213.12)
    Transmission Control Protocol, Src Port: 9725 (9725), Dst Port: 80 (80),
    Seq: 0, Ack: 0, Len: 304
    Source port: 9725 (9725)
    Destination port: 80 (80)
    Sequence number: 0 (relative sequence number)
    Next sequence number: 304 (relative sequence number)
    Acknowledgement number: 0 (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    0... .... = Congestion Window Reduced (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...1 .... = Acknowledgment: Set
    .... 1... = Push: Set
    .... .0.. = Reset: Not set
    .... ..0. = Syn: Not set
    .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0xd6f9 [incorrect, should be 0xf9f5]
    Hypertext Transfer Protocol
    GET /projects/seamonkey/ HTTP/1.1\r\n
    Request Method: GET
    Request URI: /projects/seamonkey/
    Request Version: HTTP/1.1
    Host: www.mozilla.org\r\n
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
    rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4\r\n
    Accept:
    text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
    Accept-Language: en-us,en;q=0.5\r\n



    >Thanks
    >
    >Zach


    Me
     
    why?, Sep 16, 2007
    #2
    1. Advertising

  3. Zach

    VanguardLH Guest

    "Zach" wrote ...
    >
    > I would like a program (i use Windows XP) to monitor all of the
    > websites that I visit in real time.
    >
    > I really want to know whether malware is accessing specific domains
    > /
    > IPs, and I currently have no way of viewing this. What I dont want
    > is
    > a tool to "spy" on a computer and monitor websites entered. Instead,
    > I
    > need some kind of traffic analysis tool.


    Why would malware only connect to *web* sites? They'll connect to
    whatever host they've been told to connect. As long as there is a
    process listening on the port on the host they've been told to connect
    then they can connect there. Doesn't have to be a web server that is
    running on that host and listening on that port.

    Learn to use your firewall's logs. Or get a better firewall. Or get
    a packet sniffer to monitor all your traffic (and perhaps filter to
    see just the protocols you want to monitor).
     
    VanguardLH, Sep 16, 2007
    #3
  4. Zach

    Guest

    Zach <> wrote:

    >Hi
    >
    >I would like a program (i use Windows XP) to monitor all of the
    >websites that I visit in real time.
    >
    >I really want to know whether malware is accessing specific domains /
    >IPs, and I currently have no way of viewing this. What I dont want is
    >a tool to "spy" on a computer and monitor websites entered. Instead, I
    >need some kind of traffic analysis tool.


    For something simple google:
    TCPview

    It will show what programs are accessing the net, and at which sites.

    --

    http://www.rav.efbnet.com/humour/ohshit-cat.jpg
     
    , Sep 17, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris Cowles

    Monitoring use on my home network

    Chris Cowles, Jan 1, 2005, in forum: Wireless Networking
    Replies:
    6
    Views:
    1,541
    David
    Jan 3, 2005
  2. chris kane
    Replies:
    2
    Views:
    373
    Hansang Bae
    Jan 16, 2004
  3. Rob Hulme
    Replies:
    1
    Views:
    624
    Walter Roberson
    Jan 21, 2004
  4. Replies:
    1
    Views:
    542
    Jack \(MVP-Networking\).
    Feb 18, 2008
  5. Replies:
    0
    Views:
    457
Loading...

Share This Page