How to analyze a program’s Internet connections in a minute

There are times where you want to monitor if a program connects to the Internet. Maybe you have just downloaded it and want to check if it connects to servers on the Internet.

This can be used to check if a program is phoning home for instance, or if it is making connections on its own without being initiated by you.

There are quite a few ways to monitor this, but there is none that is enabled by default on Windows. While you can make sure that no connection slips by, for instance by configuring strict outbound rules in the firewall or running a network monitor 24/7, it is often not helpful if you want to gain a quick overview as analysis and setup are usually complex time consuming processes.

I like to use Nir Sofer's CurrPorts application to check a program's Internet activity fast. While it is not as elegant as a network monitor that grabs every bit of traffic, it is very easy to use.

The program is portable and available as a 32-bit and 64-bit version. All you need to do is download it to your system, extract the archive once done, and run the single executable file that is in the target directory.

chromes internet activity

The program displays all established connections in its interface. You can easily sort the display by process name or, and that is better, drag the target icon (fourth from the left) on the application window to limit the data to it.

As you can see on the screenshot above, CurrPorts displays the remote address of every connection. It displays additional information such as the target hostname as well as time and date of the connection.

You can refresh the display manually with a click on the refresh button or hitting F5 on the keyboard, or enable the program's auto-refresh feature to have it update the data automatically in select intervals.

Once the data is displayed to you, you may want to analyze it to find out if it is legit or not. If you monitor Google Chrome for instance, you will notice that it makes many connections to Google servers regularly. In fact, all connections displayed on the screenshot above are to Google servers.

Suggested course of action

If you want to find out more about the connections that the program made, you need to look up IP addresses or hostnames.

  1. Use View > HTML Report All Items to export all connections to a HTML file.
  2. The HTML file should be opened automatically after its creation. If not, you find it in CurrPort's program directory.
  3. Use a service like http://ip-lookup.net/ or http://whatismyipaddress.com/ip-lookup to display ownership information.
  4. If you use the first service, you need to click on the Whois information link on the results page. The second service displays the relevant information right away.
  5. Once you have the owner of the IP address, you need to conclude whether the connection is legit or not. You may also conclude whether it is desired or not.

While that is sometimes easy to answer, for instance if a program makes a connection to a company not related to it in any way, it can be difficult at times, for instance when Chrome makes connections to Google.

You cannot use CurrPorts to find out more about those connections. You do have a few options however:

  1. Configure your firewall to block select IP addresses or limit outbound access of the program, and monitor if functionality is blocked after doing so.
  2. Use a "real" network monitor such as Wireshark to dig deeper and find out more about the connections.
  3. Configure the program so that at least some connections are not established anymore. If you block Chrome's Safe Browsing feature for instance, it won't establish connections anymore to test websites or files using it.

Now Read: Take control over all connections with Windows Firewall Notifier

Summary
Article Name
How to analyze a program's Internet connections in a minute
Author
Description
The guide explains how you can find out if a program connects to the Internet, and if the connections that it makes are legit or not.
Please share this article

facebooktwittergoogle_plusredditlinkedinmail


Responses to How to analyze a program’s Internet connections in a minute

  1. jNizM July 23, 2014 at 2:21 pm #

    Alternate to Wireshark is Fiddler (free web debugging proxy for any browser, system or platform)
    http://www.telerik.com/fiddler

    Alternate to CurrPorts is TCPView from Microsoft Sysinternals

  2. learsI July 23, 2014 at 3:40 pm #

    I really like NirsSoft tools
    Israel software btw :)

  3. Umo July 23, 2014 at 6:02 pm #

    All though it is a good program there is no way to flag certain application as Approved Apps or DisApproved Apps. This would help me narrow down and display only new apps that I have not seen before and hence track or block them accordingly.

    • RodsMine July 24, 2014 at 11:31 pm #

      email them with the suggestion - they do implement them.

      "If you have any problem, suggestion, comment, or you found a bug in NirSoft utility, you can send a message to nirsofer@yahoo.com"

      • rikhub July 27, 2014 at 6:09 pm #

        > email them with the suggestion

        It's a "one man" Company.

  4. jasray July 23, 2014 at 7:16 pm #

    TCP View is a nice companion to Current Ports. Current Ports must used as an Admin (Run as Administrator), and it does have the function to create filters that will block IPs. I started using it when the ISP claimed my bandwidth was running wild at night. A quick check showed numerous connections to all sorts of crap IPs that have now been blocked. Bandwidth much better.

  5. Ben Allan July 23, 2014 at 11:49 pm #

    Then use PeerBlock http://www.peerblock.com/ to prevent the application making the undesirable connections.

  6. infogain July 24, 2014 at 5:14 am #

    type this in command prompt ==> netstat -b

  7. BMO July 24, 2014 at 8:27 am #

    I'm sorry if this information is available, but I couldn't find it. I have a question though, what does it mean if something is highlighted in green? Thank you!

    • Martin Brinkmann July 24, 2014 at 8:36 am #

      While I cannot say for sure, I believe that those are displayed after you hit refresh to highlight new entries.

      • BMO July 24, 2014 at 8:42 am #

        Oh alright. Thanks bud, appreciate it.

Leave a Reply