SEARCH

How-To Geek

How to See What Web Sites Your Computer is Secretly Connecting To

image

Has your internet connection become slower than it should be? There may be a chance that you have some malware, spyware, or adware that is using your internet connection in the background without your knowledge. Here’s how to see what’s going on under the hood.

Secret Squirrel by akumath

How to Check What Your Computer is Connecting To

So, how do you find out what the problem is? There is an easy method using the netstat command from a command prompt window. This works with Windows 7, Vista, and XP. If you’re still using XP, make sure you are running at least Service Pack 2.

We will use the netstat command to generate a list of everything that has made an internet connection in a specified amount of time. To use the netstat command, you must run the command prompt window as administrator. Open the Start menu and enter “cmd.exe” in the Search box. When the results display, right-click on cmd.exe and select Run as administrator from the popup menu.

If the User Account Control dialog box displays, click Yes to continue. Note: You may not see this dialog box, depending on your User Account Control settings.

02_uac_dialog_for_cmd

At the command prompt, type the following command and press Enter.

netstat -abf 5 > activity.txt

The –a option shows all connections and listening ports, the –b option shows you what application is making the connection, and the –f option displays the full DNS name for each connection option for easier understanding of where the connections are being made to. You can also use the –n option if you wish to only display the IP address. The 5 option will poll every 5 seconds for connections to make it more easy to track what is going on, and the results are then piped into the activity.txt file.

Wait about two minutes and then press Ctrl + C to stop the recording of data.

image

Once you’ve finished recording data, you can simply open the activity.txt file in your favorite editor to see the results, or you can type activity.txt at the command line to open it in Notepad.

The resulting file will list all processes on your computer (browsers, IM clients, email programs, etc.) that have made an internet connection in the last two minutes, or however long you waited before pressing Ctrl + C. It also lists which processes connected to which websites.

If you see process names or website addresses with which you are not familiar, you can search for “what is (name of unknown process)” in Google and see what it is. It may be a system function you don’t know about or a function of one of your running programs. However, if it seems like a bad site, you can use Google again to find out how to get rid of it.

image

Using CurrPorts to Check What Your PC is Connecting To

You can also use a free tool, called CurrPorts, to display a list of all currently opened TCP/IP and UDP ports on your local computer. It is a portable program and doesn’t need to be installed. To use it, extract the .zip file you downloaded (see the link at the end of this article) and run cports.exe.

For each port that CurrPorts lists, information about the process that opened the port is displayed. You can select connections and close them, copy a port’s information to the clipboard or save it to an HTML file, an XML file, or a tab-delimited text file. You can reorder the columns displayed on the CurrPorts main window and in the files you save. To sort the list by a specific column, simply click on the header of that column.

07_currports

CurrPorts runs under Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7. There is a separate download of CurrPorts for 64-bit versions of Windows. You can find more information about CurrPorts and how to use it on the website listed below.

Download CurrPorts from http://www.nirsoft.net/utils/cports.html.

Lori Kaufman is a freelance technical writer who likes to write geeky how-to articles to help make people's lives easier through the use of technology. She loves watching and reading mysteries and is an avid Doctor Who fan.

  • Published 11/23/11

Comments (60)

  1. Kent

    I’d like to add that for many purposes using a browser extension like Ghostery in Chrome will allow you to see all the marketing web sites that your current page is sending you to. Ghostery makes it easier to connect the web site to the web page that is causing it.

    Then you can use the other tools in your excellent article to look for things like malware connections to Ukraine or software with automatic updaters. There should be far fewer of these connections.

  2. Kenny

    Nice write up. This filled in a some gaps in my knowledge. I’ll be using this for sure.

  3. Eli

    Very good.
    I was long time looking to know how to find out if any web site connecting to my laptop.
    Thank you
    Eli

  4. drPek

    Another point is that if you use Comodo firewall then you can monitor all live network traffic in and out of your computer, its free and its also a great firewall product.

  5. Will

    -abf didn’t work on my XP Pro machine. -abo seemed to work though :)

  6. StevenTorrey

    I was unable to enter through the command prompt. Got invalid entry… From Currports I was able to access the process. At 8 am. It wasn’t the clearest of things. Much ado about what?

  7. 02befree

    Didn’t work on my XP machine either. Copied it straight into the command prompt. Will try what Will tried :)

  8. Ken

    tried this on both my and wifes laptops, because I know hers is seriously defected.
    when trying to open the activity text, a box tells me that elevation is necessary, on both machines, hers is Vista, mine W7, what do I need to do now?

  9. Lori

    @Ken:

    Did you run the command window as administrator? The netstat command won’t work without that.

  10. e1sunz

    I got a problem:

    ” x: Windows Sockets Initialization failed :5 ”

    i keep on getting that there’s like 30 lines of that

  11. Spoko

    Thanks I will use this a lot.
    These posts are the reason I check this website…..

  12. rnncdn

    Great tip. I had no idea how to find this out before this article. Well done. Thanks from a novice.

  13. Pecojenk

    I also got lines of ” x: Windows Sockets Initialization failed :5 ” running Vista Ultimate 64 bit. But I also had info in activity.txt like:
    ” TCP 127.0.0.1:49159 Omega:0 LISTENING
    [ccSvcHst.exe]
    TCP 127.0.0.1:52583 Omega:52584 ESTABLISHED
    [firefox.exe]
    TCP 192.168.0.66:139 Omega:0 LISTENING

    Can not obtain ownership information
    TCP 192.168.0.66:52601 ord08s05-in-f22.1e100.net:https TIME_WAIT
    TCP 192.168.0.66:52676 ord08s05-in-f23.1e100.net:https ESTABLISHED
    [firefox.exe]
    TCP 192.168.0.66:52677 ord08s05-in-f9.1e100.net:http TIME_WAIT
    TCP 192.168.0.66:52678 iy-in-f102.1e100.net:http TIME_WAIT
    TCP 192.168.0.66:52680 ord08s05-in-f21.1e100.net:https ESTABLISHED
    [firefox.exe] ”

    Should I be worried about “Can not obtain ownership information”? Does it apply to the TCP line above or below?

  14. Bob Abela

    Using Vista Home Premium, running as administrator, same problem as e1sunz…
    x: Windows Sockets Initialization failed :5

  15. Notip

    Sorry, using Win 7 Ultimate x64 nothing comes up at all

  16. john radomi

    great article, I discovered some pests that were hanging around my computer.

  17. Pinakin

    I think TCPVIEW is better way to list this…

  18. Carl

    Great article. I am going to use this on my Dad’s computer tomorrow.

    To the people having problems, try this:
    When you search for “cmd.exe” do not hit
    Instead, right-click on the SEARCH RESULT “cmd.exe” and choose “run as administrator.”
    (sorry for the caps, but that is the important part)

  19. Carl

    When you search for “cmd.exe” do not hit [enter]

  20. shekharshekhar3

    Windows 7 Ultimate 32 bit, did not work for me. After running cmd as administrator I copied and paste the command mentioned here but nothing happened.

  21. champy

    It better way to save all thing in CMD ,Thanks :)

  22. Fe

    Hey guys, thanks a bunch for this article; Just came in at the right moment and I was shocked at what my PC was downloading for the past 2 days.

    Is there an article for checking all sites the other PCs in the network are accessing; Even if I’m not the Admin, and hence have no Router access?

    Thanks.

  23. imnogeek

    Should not task manager do most of this stuff ? If not, why not ?

  24. play8oy

    @e1sunz & @Pecojenk

    I had the same problem once, after some serious googling, I found out that my Windows system32 folder was mising a file named “inetmib1.dll” ..download n pasted in the win32 directory and my netstat started working after restart. hope that helps. :) I’m using winxp pro.

  25. Johnny D

    Just my opinion, but it might be more useful to display internet activity for the past 2 minutes rather than the next 2 minutes.

    As an example, you notice internet activity, but you have no idea which application made the connection. Then the activity stops. There is no guarantee the application will connect again in the next 2 minutes.

    Is there a program or a command to do what I’m suggesting?

  26. DOSdude

    Remember that if you direct command output to a file using ‘> activity.txt’ you will not see any output in the command window. Open the file to see it or leave the redirection out of the command.

  27. Vinil

    thanks for the info
    It worked over mine but I am unable to understand the results on cmd

  28. Ken

    OK, so now that I have about ten pages of info like below, what do I do with it? Suppose it would be a good idea to first close all other programs? Does this stuff look normal, and is it a good idea to post it here online? Note – I have omitted some details about my machine etc. – I also have a few instances of “cannot find ownership” and also see the HTG connection.

    [lxdimon.exe]

    Can not obtain ownership information
    TCP 192.168.1.101:62495 fcds9047.sjc.llnw.net:http CLOSE_WAIT
    [plugin-container.exe]
    TCP 192.168.1.101:62608 128.241.217.41:http TIME_WAIT
    TCP 192.168.1.101:62610 128.241.91.8:http TIME_WAIT
    TCP 192.168.1.101:62640 cdn-208-111-148-6.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62641 cdn-208-111-148-6.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62643 cdn-208-111-148-6.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62659 howtogeek.com:http TIME_WAIT
    TCP 192.168.1.101:62662 cdn-208-111-148-7.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62664 cdn-208-111-148-7.sjc.llnw.net:http TIME_WAIT
    PolicyAgent
    [svchost.exe]
    UDP 0.0.0.0:500 *:*
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:4500 *:*
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:5004 *:*
    [wmpnetwk.exe]
    UDP 0.0.0.0:5005 *:*
    [wmpnetwk.exe]
    UDP 0.0.0.0:39025 *:*
    [lxdicoms.exe]
    UDP 0.0.0.0:39032 *:*
    [lxdecoms.exe]
    UDP 0.0.0.0:63799 *:*
    [lxdicoms.exe]
    UDP 0.0.0.0:64870 *:*
    [avgemc.exe]
    UDP 127.0.0.1:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP 127.0.0.1:60807 *:*
    SSDPSRV
    [svchost.exe]
    UDP 127.0.0.1:61765 *:*
    [OUTLOOK.EXE]
    UDP 192.168.1.101:137 *:*
    Can not obtain ownership information
    UDP 192.168.1.101:138 *:*
    Can not obtain ownership information
    UDP 192.168.1.101:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP 192.168.1.101:60806 *:*
    SSDPSRV
    [svchost.exe]
    UDP [::]:500 *:*
    IKEEXT
    [svchost.exe]
    UDP [::]:4500 *:*
    IKEEXT
    [svchost.exe]
    UDP [::]:5004 *:*
    [wmpnetwk.exe]
    UDP [::]:5005 *:*
    [wmpnetwk.exe]
    UDP [::1]:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP [::1]:60805 *:*
    SSDPSRV
    [svchost.exe]
    UDP [fe80::d007:deca:ee25:16bb%11]:1900 *:*
    SSDPSRV
    [svchost.exe]
    UDP [fe80::d007:deca:ee25:16bb%11]:60804 *:*
    SSDPSRV
    [svchost.exe]

    Active Connections
    Can not obtain ownership information
    TCP 192.168.1.101:62495 fcds9047.sjc.llnw.net:http CLOSE_WAIT
    [plugin-container.exe]
    TCP 192.168.1.101:62608 128.241.217.41:http TIME_WAIT
    TCP 192.168.1.101:62610 128.241.91.8:http TIME_WAIT
    TCP 192.168.1.101:62640 cdn-208-111-148-6.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62641 cdn-208-111-148-6.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62643 cdn-208-111-148-6.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62659 howtogeek.com:http TIME_WAIT
    TCP 192.168.1.101:62662 cdn-208-111-148-7.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62664 cdn-208-111-148-7.sjc.llnw.net:http TIME_WAIT
    TCP 192.168.1.101:62682 r-199-59-149-200.twttr.com:http ESTABLISHED
    [firefox.exe]
    TCP 192.168.1.101:62683 cdn-208-111-148-7.sjc.llnw.net:http ESTABLISHED
    [firefox.exe]

  29. Art€

    Worked for me just fine; MSW7 64x system. But I couldn’t copy and past I had to type in myself, but otherwise worked nicely. Thanx a lot good article.

  30. Dan

    Tried the command given in the article and found it a little hard to make sense of the output.

    Thanks to google and the MS website I found that the following worked (Windows Vista 32) and was easier to understand when looking at, but is displayed in the command line

    netstat -o

    The above displays active TCP connections and includes the process ID (PID) for each connection. you can look up the PID using the command below:

    tasklist /fi “PID eq xxxx”

    where xxxx is a PID shown in the output of the netstat command

    You can also use
    netstat -a

    the output seems to be more thorough but the output is harder to read.

  31. Tech Checkers

    A couple of additional pointers:

    1. After Right-Click on CMD.exe and Select “Run As Administrator”, the CLI Prompt will read as

    C:\Windows\System32>

    Entering the NETSTAT command would place the resulting activity text file into the Windows System32 Folder (!) , not a recommended location, though if you type

    CD \
    First this will change the path to Root [ i.e C:\ , the root of C drive]

    Now entering the NETSTAT with ABF switches will produce the activity.txt in a location that easy to find.

    Second note is that there is NO ONSCREEN activity while the is running, so either closing the CLI Command pane or pressing Control + C is Required to halt the process and the log file.
    A good choice is to open the Activity.txt while the Command is running and tile the CLI Window and the Activity.txt vertically : )

  32. Ann

    Running Windows 7 Home Premium 64bit – nothing happened.

  33. ProfQ

    Thanks!
    Worked perfectly for me after typing the command line EXACTLY.
    Windows 7 Ultimate 64 bit

  34. Jon Woellhaf

    Works fine for me on Windows 7 Ultimate 64-bit.

  35. B. Broski

    In XP dont use the f. If you just type netstat at the command prompt you’ll see there is no -f
    listed. I’m using XP pro. Haven’t tried on my Win 7 Ultimate yet.

  36. neil

    using Win 7 Ultimate x64 nothing comes up at all.

  37. Derrick

    I did all that, I didnt understand what I was looking at or what to do with it when I found it

    Any ideas what I could do ?

  38. jornalão da midia golpista

    the currport program is much better also the inteface is easy to understand even for a novice.
    does it show all detail in moment then you are using the localnet on pc.
    by the way is portable you can take it in a pendrive and check your girlfriend pc if sombody link on her ass.

  39. andy

    netstat -abf 5 > activity.txt did not work on my vista computer unless used like this netstat -abf

  40. Sonya

    Nice article. Thx! :)

  41. Sonya

    For those saying “nothing comes up at all” when running the netstat command are you:

    1. running the CMD.exe as administrator
    2. letting the netstat -abf 5 > activity.txt command run for several seconds, (I’m running Win 7 Home 64bit, and it doesn’t show what it’s doing on the screen. This is OK.)
    3. after letting it run, press CTRL-C to end the process
    4. switch to a windows explorer window (not IE), and browse for the directory you were in when you ran the netstat command
    5. in that directory, open the activity.txt file, which should have the results of the scan

  42. Tsotsi

    I’m running Windows XP and dont where to start…help

  43. glenw4248

    I have always wondered what and how certain sites would appear, and would not know how they were generated. At least with this articles information I can now see more and know better, as to, how to rid myself of unwanted sites. Thank you for this valuable information.

  44. cody

    the way Will listed worked for me the way in the article only listed what the different letters and such ment

  45. micheljgaudet

    micheljgaudet

    Hey, lazy peeps. Stop doing the COPY/PASTE. Try actually using the keyboard to manually type in the info. into your .cmd window.

    WONDERFUL bit of info. to use; THANK YOU SO MUCH!

  46. micheljgaudet

    micheljgaudet

    Forgot to mention WHY you should NOT use copy/paste… it doesn’t work for most systems. You must actually MANUALLY text in activity.txt> (without the ). Also, don’t leave out or add spaces; text it EXACTLY as shown.

  47. micheljgaudet

    grrr… [netstat -abf 5 > activity.txt], without the []

  48. Tony Payne

    The “-f” option is not valid in WIndows XP Pro.
    It works if you juat use “-ab” instead of “-abf”.

  49. John B.

    The first method worked like a charm for me in Win 7 64-bit. Thanks for the great tip!

  50. Ronald

    Your article interest me very much because this very topic concerns me. I have windows XP, and entered cmd.exe, but the open dialog has a line for the C drive. at the end of the line the cursor just blinks. I got no results. What is wrong? What should I do? Thanks.

  51. SeeYa32
  52. Marcus

    Good Grief! I just did this on my system and the vast number of connections from or to adobe is absolutely EVIL. All on different ports too! How do I block them?

  53. rosgani

    Thanks for the article, it’s a awesome tips…
    But, when I found malware activity? How do I dissable and stop it?

    Thanks

  54. Kevin

    Failed…..? Vista 32 bit Home Premium

  55. sqlpro

    From Vista and above , you can use built in “performance monitor” for this purpose. look for “network” tab after opening monitor.

  56. Ken

    Once you copy the command use paste from the command window not the windows short cut key or menu.

  57. lar.

    in command prompt……failed…..repeats…WINDOWS SOCKETS INITIALIZATION FAILED 5.please advise.also cant understand..currports.

  58. twk5

    Works Like a charm – W7-64 Home Professional OS, quick download and run. I don’t know what to do about the 122 things using my computer, but that is another story…

  59. Rob

    It’s not displaying anything in the notepad when it opens… Oh, who am I kidding, I really don’t care. Screw this.

  60. lar

    x:windows sockets initialization failed: 5,this is what registered in command prompt.please advise.when i used the command,netstat -abf 5 > activity.txt,to see who or what is connected to my pc.please advise…thank you lar.

Enter Your Email Here to Get Access for Free:

Go check your email!