If this isn't the best place to ask this please point me to the appropriate group.
There are so many programs in the bowels of XP that are constantly accessing or being accessed by the internet it worries me. I would like to know which programs are doing this. Is there a free (or cheap) program that logs all these exchanges with the identity of the program on my computer that's involved with the exchange?
you need a firewall that performs logging. mine (Norton NIS) allows rules to Permit,Deny, & Monitor. The Monitor rules says 'log the contact and continue with the next rule'
when investigating web access, I enable the rule that says monitor all outbound ports remote ports 80,443,8080,8081,110,143,25 tcp there's more than enough to keep you reading ...
the connection log looks like you'll not only see things you expect:
http(80). download.microsoft.com(220.127.116.11): http(80). mail.adelphia.net(18.104.22.168): pop3(110). 22.214.171.124: domain(53). up also the tracking and cookie stuff: img.microsoft.com(126.96.36.199): http(80). red.as-us.falkag.net(188.8.131.52): http(80). ziffdavisglobal.112.2o7.net(184.108.40.206): http(80).
the firewall logs programs Remote address,service is(mail.adelphia.net(220.127.116.11),pop3(110)). Process "C:\\Program Files\\Common Files\\SymantecShared\\ccApp.exe". Remote address,service is (18.104.22.168,domain(53)). Process name is "C:\\Program Files\\Mozilla Firefox\\firefox.exe".
type "netstat -a -o" (don't type the "") the output will show a number of columns, "local address" "foreign address" etc. Look at the one headed "PID". Now, open XP's Task Manager, click on the Processes tab. Then, click on View - Slect Columns and select PID (process identifier). Comparing at the PID from the netstat output with the PID from Task Manager you can see which executable is being used for each connection.
Download a freeware program called Active Ports from
"Overview Port Reporter logs TCP and UDP port activity on a local Windows system. Port Reporter is a small application that runs as a service on Windows 2000, Windows XP, and Windows Server 2003.
On Windows XP and Windows Server 2003 this service is able to log which ports are used, which process is using the port, if the process is a service, which modules the process has loaded and which user account is running the process."
0792 Internet Control Message Protocol. J. Postel. Sep-01-1981. (Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950) (Also STD0005) (Status: STANDARD)
There's nothing to "track". ICMP has a number of possibilities, but it boils down to "ping" (ICMP type 8 requests, type 0 reply), and "error" messages (ICMP type 3 - "Destination Unreachable" and ICMP type 11 - "Time Exceeded" used by TRACERT.EXE or the original "traceroute"). The ICMP type 5 (Redirect) is so easily abused as a "Denial Of Service" ploy that nearly all operating systems ignore it.
ICMP does not use port numbers (the numbers your toy firewall shows as source and destination port numbers are actually the "ICMP type" and "ICMP code" values).
If you see an ICMP error packet, it has enough information inside the packet for your computer to understand. You try to connect to some idiot's web page and mis-type the hostname - and this other host isn't running a web server. It will send back an ICMP packet that says "you said 'connect to the web server here' but there is no web server". Or maybe there is no host - a router will send back a similar "you said 'connect to the web server at MUMBLE.FUMBLE.FOO' but I can't find that host".