Re: Continuous internet activity

MikeM wrote:
I have checked the task manager several time. Usually the only entries
with activity are the usual ones that have been there a long time. I
don't know what most of them are, but I assume they are connected with
Windows or other applications I have been running for years. One thing
I can't remember seeing, there are 8 entires for svchost. For a while
there was a lot of activity on 1 of them but it has now stopped. Just
an occasional small amount of activity on one of them.

The only high activity is on the application I am running. I tried
stopping it but the activity continued unchanged. The activity monitor
is still solid green and the led on the router is flashing so I assume
it is still sending/receiving.


A program like Wireshark might be used, to see what the packets
contain and where they're going. There is nothing stopping a malware
application, from using compression or encryption of the stream,
preventing you from learning anything. But at least you'll get an
IP address out of the exercise (dest address for the packets).

If you select View:Name Resolution:Network Layer, the captured
Ethernet packets will have the IP addresses resolved to symbolic
addresses. Which saves the nuisance of looking them up separately.

After that, Capture:Interfaces, and clicking the Start button
for your actual network interface, starts the capture.

Some malware, is aware of programs like Wireshark, and may
respond in some way once it is started. For example, a key logger
may store key presses locally, until a time arrives where
Wireshark is not running, and then it is "safe" to transmit
the passwords or credit card numbers.

The continuous activity, at least to me, suggests
something like Back Orifice - like something has
your machine under some degree of control, and
the continuous packets are for monitoring purposes.

You could also be part of a botnet, and DDOSing some
node on the Internet, or sending spam emails and so
on. It could be, that the control connection is
only made intermittently, and most of the traffic is
the scripted activity entrusted to your node.

There is a small probability of a networking problem, where
something is tied in a loop. I have seen looped behavior
between my router and my ADSL modem, and power cycling them
stopped it. To debug problems like that, you'd need a box
which could be inserted between devices and transparently capture
all transmit and receive traffic. Wireshark only covers the
cases, where a computer is at one end of the link.