A lot of the software installed on a computer these days requires some form of internet access even if the software itself has no need for a web connection during normal usage. “Phoning home” is a term used to describe the process of software connecting to its own server probably to send statistical data, to check for software updates or even to verify the validity of the license. As useful as it is for software developers, it can also be a threat. Malicious software can be programmed to secretly use your internet connection in a similar way and is not visible unless you know how to check.
With so many programs periodically going online, it can be difficult to stay totally safe. If you are the adventurous type that downloads and plays around with lots of software especially the dangerous ones such as key generators, patches, cracks or hack tools, then you must be even more careful to check if it’s secretly phoning home. What you need is something to give a picture of what is going on with the internet connection and what software is actually trying to use it. Sometimes there will be a function in your internet security software to monitor what’s happening on the network, but if you don’t have the option, you need another way to find out.
Here’s a selection of 10 easy to use tools to check what programs and processes are trying to access the internet so you have a better idea what’s trying to phone home. All the tools are portable unless stated.
1. Proc Net Monitor
This is from SecurityXploded who make a lot of internet and network tools and will monitor the network activity of all running processes on your system while also showing active network connections for each process and what ports are being used in the windows below. There is only one display option which is to filter a specific port, although you can kill an active suspicious process, send the process to Virus Total for a security scan and also save the results from the window to a log file. Sadly there is no auto refresh option and you have to click the button manually. Proc Net Monitor has portable and installer versions available and works on Windows XP to 8.
2. NetLimiter Monitor
This is the only tool in the list that specifically requires installation, but is a plain and simple network monitoring tool that shows which programs are accessing the internet along with their respective upload and download speeds. You can choose to list active, inactive, hidden or all processes and clicking on the tree icon for the process will show its ID and all the active connections for it along with their individual speeds. Net Limiter installs as a trial of the shareware traffic management software, you need to register for a free serial key to turn the program into the free monitor. There’s also an older version 2 download available.
3. Sysinternals TCPView
Made by the same developer as Process Explorer, TCPView is a simple endpoint viewer to show all active connections on the computer. It displays the local and remote addresses and ports, sent and received data amounts and also the current state of the connection. New connections show in green, changed in yellow and closed in red. To filter out the listening and unconnected processes click the icon on the toolbar (Ctrl+U), and the auto refresh speed can be altered in the View menu. You can also end the chosen process or connection by right clicking on the entry and save the window contents to a text file. Works on XP and above.
TCPMonitor is a similar tool and functions the same way as Sysinternals TCPView but is a little more user friendly. It displays the necessary ports, addresses, status and process name/PID and clicking on the toolbar icons will enable auto refreshing and filtering in only established connections. Clicking on a process can kill it, close the active connection, copy the address and an interesting feature which is a primitive IP blacklist which will block any IP address you add to it. There’s also options to change the coded colors, show a small network stats window, save the window content to a text file and periodically save the data to a log file. Works on Windows XP and above.
5. Moo0 ConnectionWatcher
ConnectionWatcher is another simple to use tool that displays all the connections made by the processes on your computer and has around 15 different skins to make the interface more appealing. It does have a small overall network monitor and graph at the bottom, and also a useful log tab where you can record and save up to 3000 events to a HTML file. You can also set the auto update refresh to real time if needed, but it will put extra load on the CPU. A useful option the program could do with is the ability to filter out things like UDP, listening or closed connections etc. Works on Windows XP and above with portable or setup installer versions available.
SoftPerfect Networx is a popular internet bandwidth and usage monitor which also happens to have a simple TCP/UDP connections monitor built in. Simply right click on the tray icon and select NetStat to open the connections window. It’s pretty basic and has a few options to automatically refresh the window, resolve addresses to host names and show only established connections which will declutter the list somewhat. Right click on a program and click Terminate to quickly close it. If you want to auto refresh the window, it’s best to turn off the resolve addresses option to stop a lag in the display. NetWorx is compatible with Windows 2000 and above with installer or portable versions available.
This tool is by NirSoft and has a display similar to TCPView but with far more comprehensive options to control how the program behaves if you want to use them. In addition to all the address, port and process details, there’s also information such as window name, used services, attributes etc, and the large options menu allows you to show or hide several connection and port items from the display. CurrPorts also has advanced filters and can specifically include/exclude selected processes, ports and addresses while allowing you to close selected connections or kill the related process. All connections can be logged in real time to a text file, accessible from the File menu. CurrPorts works on Windows 98 and above.
8. Process Explorer
Sysinternals Process Explorer is similar to Windows Task Manager but far more advanced. The good thing about using Process Explorer to check for connections to the internet is the ability to easily just look at a single process and not all at once. You can also set it up as a basic network traffic monitor by going to View menu -> Select Columns -> Process Network tab and choose the sends and receives you want in the window.
To get information on a specific process simply double click on any process from the list and go to the TCP/IP tab. It will show listening and established connections along with TCP, TCPv6 and UDP protocols created by the process with the option to resolve the addresses. The color coding is the same as TCPView for new, changed or closed connections.
Process Explorer is loved by techies and isn’t difficult to use for just about anyone with average knowledge. Works on Windows XP and above.
9. SterJo NetStalker
NetStalker is a very intriguing program because apart from being a monitor to see which processes are accessing the internet, it also features a rather primitive firewall that can block addresses or ports while it’s running. The connections tab displays the usual information, tasks can be killed and connections closed. UDP and listening connections can be filtered out via the Options menu. Any new task that wants to create a connection will popup a box allowing you to trust, get details or kill it, and you can setup rules to allow or block specified ports or remote addresses through the Policy tab. The firewall function can be disabled by allowing all traffic if you don’t want it. NetStalker portable is preferable as the installer version contains adware.
10. Windows Resource Monitor
Because they’re tucked away, many users tend to forget about some of the useful tools inside Windows, and Resource Monitor can display a whole host of information about disk, CPU, memory and network activity. It’s accessible a variety of ways including “perfmon.exe /res” from the Run dialog or from the Performance tab in Task Manager. Click on the Network tab and you’ll get a list of processes, TCP connections and listening ports along with a graph of the last 60 seconds activity. Windows 7 and 8 have the most useful monitor, there is also a reduced version in Vista.