How does one track down services that generate traffic?

[Eddy]

Process Monitor only shows the top process id which is svchost. I guess
Svchost represents any number of services, any of which can be generating ip
traffic.

The question is how does one zero in on the culprit service?

 

[Chuck [MVP]]

Process Monitor only shows the top process id which is svchost. I guess
Svchost represents any number of services, any of which can be generating ip
traffic.

The question is how does one zero in on the culprit service?

I start with Process Explorer from Microsoft (SysInternals).
<http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer>
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer

There, you find the Svchost instance in question, look under Services, and find
a list of what services are involved. And under TCP/IP, make a note of the
connections and their details. Pass the details here.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Eddy]

Of course the tcp values are constantly changing as the port number
increases, usually by one. Port 1457 below is chosen at random. The port
numbers seem to cycle between 1000 and 4000 apprx. Thanks for looking at it.

Prtcl---Local ---Remote ---State
TCP---hpw01.mshome:1457---192.168.0.1:5678---ESTABLISHED
TCP---hpw01.mshome:1458---192.168.0.1:5678---ESTABLISHED
UDP---hpw01:9909---*.*
UDP---hpw01:1042---*.*
UDP---hpw01:ntp---*.*
UDP---hpw01:mshome:ntp---*.*

Process Monitor only shows the top process id which is svchost. I guess
Svchost represents any number of services, any of which can be generating ip
traffic.

The question is how does one zero in on the culprit service?

I start with Process Explorer from Microsoft (SysInternals).
<http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer>
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#ProcessExplorer

There, you find the Svchost instance in question, look under Services, and find
a list of what services are involved. And under TCP/IP, make a note of the
connections and their details. Pass the details here.

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

 

[Chuck [MVP]]

Of course the tcp values are constantly changing as the port number
increases, usually by one. Port 1457 below is chosen at random. The port
numbers seem to cycle between 1000 and 4000 apprx. Thanks for looking at it.

Prtcl---Local ---Remote ---State
TCP---hpw01.mshome:1457---192.168.0.1:5678---ESTABLISHED
TCP---hpw01.mshome:1458---192.168.0.1:5678---ESTABLISHED
UDP---hpw01:9909---*.*
UDP---hpw01:1042---*.*
UDP---hpw01:ntp---*.*
UDP---hpw01:mshome:ntp---*.*

What about the Svchost instance? What services are listed?

Here's RRAC - Port 5678:
<http://www.google.com/search?hl=en&q=rrac+port+5678&btnG=Google+Search>
http://www.google.com/search?hl=en&q=rrac+port+5678&btnG=Google+Search
<http://www.auditmypc.com/port/udp-port-5678.asp>
http://www.auditmypc.com/port/udp-port-5678.asp

What is "192.168.0.1" - a router, or a computer running ICS?

--
Cheers,
Chuck, MS-MVP 2005-2007 [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.