Tip

Microsoft offers free Network Activity logging service

A number of different tools exist for logging network activity, either remotely through a proxy of some kind or locally via a service or resident application. Microsoft has a utility of its own for logging network activity: Port Reporter. It installs

Requires Free Membership to View

as a system service and logs all TCP and UDP activity that takes place on a single computer, whether it's a server or workstation, on Windows Server 2003, Windows XP and Windows 2000.

Port Reporter not only logs data about what port is being opened and to what remote host, but also the process that opened the port and whether the process is a system service. In addition, the utility reports on what modules that process used and the user accounts responsible for launching it. Port Reporter is useful for analyzing network traffic on a given computer and it routs out unwanted software as well, such as spyware packages that are "phoning home" (for example, contacting a remote host and sending personal information such as keystrokes or sites visited).

Once installed, you have to start Port Reporter manually from the Services menu in Control Panel | Administrative Tools. It's not set to start automatically by default, but it can be set to start automatically if the user wishes it. This is by design, since the user may not always want the program to continuously log network activity at every boot.

The logs for the program are written in plaintext .CSV format to the directory %systemroot%\System32\LogFiles\PortReporter. Three logs are generated: PR-INITIAL, PR-PORTS, and PR-PIDS, the names of which are appended with a time/date stamp string that indicates when the log was started. (This is so that successive logging sessions aren't written to the same files.) PR-INITIAL contains information gathered from the computer when the service is first started -- processes running, ports mapped to each process, loaded modules and so on. PR-PORTS is a running log of all processes that open ports as well as their remote host, the user context, the protocol used, etc. PR-PIDS is a breakdown of process IDs used to open ports, including their respective user contexts and other crucial information.

The program has a few limitations. In Windows 2000 (as opposed to Windows XP or Windows 2003), port-to-process mappings are not supported, so some of the log information may not be as detailed.


Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!


More information from SearchWinSystems.com

This was first published in October 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.