A number of different tools exist for logging network activity, either remotely through a proxy of some kind or locally via a service or resident application. Microsoft has a utility of its own for logging network activity: Port Reporter. It installs as a system service and logs all TCP and UDP activity that takes place on a single computer, whether it's a server or workstation, on Windows Server 2003, Windows XP and Windows 2000.
Port Reporter not only logs data about what port is being opened and to what remote host, but also the process that opened the port and whether the process is a system service. In addition, the utility reports on what modules that process used and the user accounts responsible for launching it. Port Reporter is useful for analyzing network traffic on a given computer and it routs out unwanted software as well, such as spyware packages that are "phoning home" (for example, contacting a remote host and sending personal information such as keystrokes or sites visited).
Once installed, you have to start Port Reporter manually from the Services menu in Control Panel | Administrative Tools. It's not set to start automatically by default, but it can be set to start automatically if the user wishes it. This is by design, since the user may not always want the program to continuously log network activity at every boot.
The logs for the program are written in plaintext .CSV format to the directory %systemroot%\System32\LogFiles\PortReporter. Three logs are generated: PR-INITIAL, PR-PORTS, and PR-PIDS, the names of which are appended with a time/date stamp string that indicates when the log was started. (This is so that successive logging sessions aren't written to the same files.) PR-INITIAL contains information gathered from the computer when the service is first started -- processes running, ports mapped to each process, loaded modules and so on. PR-PORTS is a running log of all processes that open ports as well as their remote host, the user context, the protocol used, etc. PR-PIDS is a breakdown of process IDs used to open ports, including their respective user contexts and other crucial information.
The program has a few limitations. In Windows 2000 (as opposed to Windows XP or Windows 2003), port-to-process mappings are not supported, so some of the log information may not be as detailed.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
More information from SearchWinSystems.com
- Tip: Switching windows using Remote Desktop Connection
- Topic: Research Network and Web Management in this topic section
- RSS: Sign up for our RSS feed to receive expert advice everyday