Who is my computer talking to?

Kilarney

I've noticed this afternoon that my computer is receiving quite of bit of bytes (and sending a few) while nothing is running.
I suspect something is running in the background, I have no reason to suspect that it's anything bad. (I've run Ad-Aware and did a virus scan.) Nonetheless, I'd like to know what it is.

Does anyone know of a Windows program that will look at who your computer is connected with, and let you know what's going on the background?

Apreche

What is telling you that it is receiving bytes?

Kilarney

I noticed this when I pulled up "Wireless Connection Status." It also shows in the system tray in the taskbar.

Apreche

I noticed this when I pulled up "Wireless Connection Status." It also shows in the system tray in the taskbar.

What applications do you know are running?

Sail

Wireshark could help.

Kilarney

I'm starting to wonder if its Bittorrent DNA.

Omnutia

If you use port forwarding it could be a lot of traffic coming in trying to find you.

Kilarney

Ahh... I do have port forwarding enabled for bittorrent. Could it be that people are trying to see if I have a file available?

I did notice that the traffic is more or less entirely incoming, which would support this theory.

...

Ahh... I do have port forwarding enabled for bittorrent. Could it be that people are trying to see if I have a file available?

I did notice that the traffic is more or less entirely incoming, which would support this theory.

Incoming bittorrent connections are download requests. Turn off your torrent client and everything else using the internet. Then use Wireshark to see what all those incoming packets are. That of course if packets keep coming in.

And give more details please, as Scott said, what do you run, check taskmgr or even better Sysinternals' Process Explorer. Good luck.

am_dragon

The command netstat -A at the command line will give you a list of connections. Windows will download updates in the background as will quite a few different software packages you might not be thinking about. Disable the network connection and see if anything complains. These are pretty basic suggestions, if you have used something like Wireshark you may be past these tests already.

I've had good luck with netstat -A and Googling results I'm not sure about.

Apreche

netstat -a is a command in *nix. I didn't know Windows had that.

am_dragon

Yes it does work in Windows. If you do "netstat -a -b" it will give you the full list of connections and the executable responsible for each connection.

Kilarney

Excellent... I will try that tonight.

Kilarney

When I have a chance, I'll have to cancel my port forwarding.

I ran netstat. There are numerous connections from various places with TIME_WAIT indicated for all of them.

I suspect that it has to do with Bitorrent, since I forwarded a port for that application. My guess is that they are looking for a file that I have/had and since Bitorrent is not running, I tell them to go away.

When I have a chance later tonight, I'll stop forwarding the port and see what happens.

...

When I have a chance, I'll have to cancel my port forwarding.

I ran netstat. There are numerous connections from various places with TIME_WAIT indicated for all of them.

I suspect that it has to do with Bitorrent, since I forwarded a port for that application. My guess is that they are looking for a file that I have/had and since Bitorrent is not running, I tell them to go away.

When I have a chance later tonight, I'll stop forwarding the port and see what happens.

If bittorrent is not running it's not bittorrent traffic. The moment you shut the program down the connections are stopped. If bittorrent allowed people to connect to you even when you weren't running any torrent software nobody would use it. That's dangerous for security.

Kilarney

Hmm... back to the drawing board then.

Kilarney

I just disabled the one port that I had forwarded for Bittorrent, and the problem went away with one exception (see below).

Every virus and adware scan I've done has shown no problems (and I've done quite a bit of scanning). So I'm inclined to think that everything is okay.

There are a lot of connections to 239.255.255.250, which traceroute seems to choke on. It is registered to "Internet Assigned Numbers Authority", so I am assuming that this is a DNS server or something like that.

I'm just nervous as to how there seem to be incoming requests through the open port. It doesn't appear as if any of these did anything, though. Is there really that much trolling out there to find open ports?

Kilarney

Interestingly enough, I just changed the port that was forwarded and the problem went away. So something or someone obviously knew that I had the port forwarded.

Kilarney

It's definitely related to Bittorrent. I tried a new port and everything was fine. I started Bittorrent for a while, and then turned it off. Sure enough, there were numerous incoming connection attempts.

...

It's definitely related to Bittorrent. I tried a new port and everything was fine. I started Bittorrent for a while, and then turned it off. Sure enough, there were numerous incoming connection attempts.

What client are you using? And do they persist, or disappear after 10 or so minutes?

Kilarney

I'm using the official Bittorrent client - which is the same as Utorrent. And yes, they persist.

...

239.255.255.250

Hmmm... IANA's IP ranges are blocked by ipfilter.dat. If you want I can upload it to rapidshare or something and then you can enable ipfiltering in the official client. If it's completely cloned that will work and should fix your problem afaik.

Jameskun

There are a lot of connections to 239.255.255.250, which traceroute seems to choke on. It is registered to "Internet Assigned Numbers Authority", so I am assuming that this is a DNS server or something like that.

That is a multicast address, which is why traceroute failed. Specifically, this is used for uPnP. It is possible to disable it, but it will not really cause a problem. This address should not get past your router.

As far as bittorrent, even after you close your client, other people's clients may still attempt to connect to you. You would see incoming connections, which windows will respond with a reset to signal the port is closed.

ShakingSpirit

If bittorrent is not running it's not bittorrent traffic. The moment you shut the program down the connections are stopped. If bittorrent allowed people to connect to you even when you weren't running any torrent software nobody would use it. That's dangerous for security.

Nonsense, DHT (which µTorrent has enabled by default) uses stateless UDP connections, which will obviously continue to flow in after the torrent client is closed. Because DHT is a 'pure' peer-to-peer system, there is no one hub to say "Ok, address 82.122.33.4 is offline, don't try to connect to him", so individual nodes will continually pester IPs which they remember at one point connecting to, until the swarm gives up and agrees that you're offline. I don't know specifically how µTorrent implements its DHT, but I imagine that it's fairly similar to Kad on which it's based, so they shouldn't persist for more than a few days, and are completely harmless.

...

Wait, wait, wait ShakingSpirit. You're claiming that the official bittorrent client, which is just a copy of µTorrent, doesn't close its connections when you shut it down while µTorrent does? µTorrent has always nicely closed all connections, including DHT (UDP), whenever I shut it down. Ever since version 1.6.1, the version I started with, it has done so and shall probably do so as long as it exists. As you said, UDP connections are stateless, they don't wait. They deliver and disappear. Also, I can find nothing about Kad being the base for DHT. Also, even when UDP is stateless, doesn't mean DHT is. I don't know the protocol, but I can imagine there being a disconnect message to inform the few people you are connected to to stop talking to you since that's just useless and makes it less efficient. Also, I can find nothing on Kad being a basis for DHT. However, I can find something about a Kad network which implements the Kademlia P2P protocol which is a Distributed Hash Table. So Kad is based on DHT, not the other way around.

Anyways, Kilarney, you could try asking in the official forums. They might know what you can change to fix it.

Kilarney

Nonsense, DHT (which µTorrent has enabled by default) uses stateless UDP connections, which will obviously continue to flow in after the torrent client is closed. Because DHT is a 'pure' peer-to-peer system, there is no one hub to say "Ok, address 82.122.33.4 is offline, don't try to connect to him", so individual nodes will continually pester IPs which they remember at one point connecting to, until the swarm gives up and agrees that you're offline.

That is most definitely what is happening. No big deal... although I suppose my ISP might have a different opinion.

ShakingSpirit

Wait, wait, wait ShakingSpirit. You're claiming that the official bittorrent client..{etc}

You misunderstood me; Kad isn't the basis for DHT, but it is the basis for µTorrent's implementation of DHT.
And no, in µTorrent's(/BitComet's/Bitspirit's) implementation of DHT (dubbed 'Mainline') there is no 'disconnect' message sent to the swarm. Never had been, and I doubt there ever will be (because of the overhead). A brief google shows this is has been thrown up before on the official forums as well as elsewhere.

EDIT: And don't worry about your ISP kilarney, there's so much 'background noise' on the internet from this sort of thing happening that the occasional DHT 'PING' hitting your computer will just be a drop in the ocean ^_^