Compile a history of network activity
In "PortQry," December 2004, InstantDoc ID 44411, I introduced you to one of two Microsoft tools that can help you determine which programs are listening on your computer's network ports. Such tools are important if you need to troubleshoot network services or detect unwanted programs. The tool I discussed in that article, PortQry, is a Microsoft-focused network port scanner with local-host-monitoring features. The tool I want to talk about this time is Port Reporter (PortRptr.exe), which lets you monitor network activity from a particular computer over a longer period of time. Whereas PortQry gives you a real-time look at which network-aware applications are running and their network connection states, Port Reporter logs TCP and UDP port activity and compiles a history of network activity and corresponding applications for a system over time, so you can review the results later. Port Reporter also provides verbose logging when host applications change network connections—for example, when they accept a new connection. You can manually review this information to, for example, discover which applications are accepting or establishing network connections. Port Reporter also logs the DLLs that applications use so that you know exactly what code is accessing the network.
Depending on the amount of traffic, Port Reporter logs tend to grow too large to parse manually. For larger log files, you can use another free Microsoft tool called Port Reporter Parser to interpret and analyze the data and present it in a streamlined format. Let's look at both tools.
Downloading Port Reporter
Port Reporter is a free Microsoft tool that installs itself as a service. You download the Port Reporter files from Microsoft (http://www.microsoft.com/downloads/details.aspx?familyid=69ba779b-bae9-4243-b9d6-63e62b4bcd2e&displaylang=en) and extract them to a folder of your choice. Run the setup program—pr-setup.exe—to install the application on the computer that you want to monitor. By default, the setup program installs Port Reporter in C:\Program Files\PortReporter. Because of this setup process, Port Reporter isn't as agile as PortQuery, but as you'll see, it provides far more information.
From the Control Panel Administrative Tools applet, open Services. Scroll down to Port Reporter and start the service, as Figure 1 shows. If you leave the service running under the LocalSystem account, it will be able to collect information from all processes that it might not otherwise collect if run under a less-privileged account. Port Reporter logs its data to the \LogFiles directory that other Windows applications also use (e.g., %systemroot%\System32\LogFiles\PortReporter). You can configure Port Reporter to rotate the log files by creating a new log whenever you start the service, each day, or when the size limit is reached. By default, Port Reporter creates a new log file when the current log file reaches 5MB in size. You can change the location and maximum size of the log files by accessing the service's Properties dialog box, selecting the General tab, and entering custom start parameters for the service. For example, the start parameters
-ld 'C:\PRLogFiles' -ls 10000
specify that Port Reporter should output its logs to C:\PRLogFiles and create a new log file when the old one reaches a maximum size of 10,000KB.
When you start the service, Port Reporter creates three separate log files (INITIAL, PORTS, and PIDS) named by date of creation—for example, PR-INITIAL-04-08-28-16-7-19.log, PR-PORTS-04-08-28-16-7-19.log, and PR-PIDS-04-08-28-16-7-19.log.
- The INITIAL log file contains data about the ports that are actively mapped when the service starts. It resembles turbo-charged NetStat command output, showing all network activity such as the process identifier (PID), port, and local and remote addresses. Additionally, this report displays excellent information about not only the host application (e.g., msmsgs.exe) but also all its DLLs. This information simplifies the identification of a rogue application such as a Trojan horse because it calls attention not only to the host application but also to the libraries it uses.
- The PORTS log file is a simple listing of each new network connection, showing the date and time of the connection, protocol (TCP or UDP), port, source and destination address, name of the application, and username under which the application is running. For example, when I open Microsoft Internet Explorer (IE) and sign on to MSN Messenger, Port Reporter immediately appends the log with information, as Figure 2 shows. The comma-separated value (CSV) format makes it easy to import data into Microsoft Excel for analysis. (Alternatively, you can use the Port Reporter Parser tool, which I discuss next.) Because Port Reporter runs as a service, it silently logs in the background, letting you periodically check which network applications that particular system is running over a period of time.
- The PIDS log file is the largest of the three. Whereas the PORTS log file records each new connection as a single row of data, the PIDS log file records all program and module information about a process when it initiates any new network activity. So, for example, executing the command-line program ftp.exe results in a ton of data not only about FTP but also about modules executed along with ftp.exe. Figure 3 shows a snippit of the detail contained in the PIDS log. This detailed information is helpful if you need to determine whether a malicious program such as spyware has hooked itself into IE as a module or if a worm or virus is attempting to use the network.
Port Reporter Parser
Port Reporter provides a wealth of information across the three classes of log files. To help with the daunting process of interpreting and correlating this data from the three files, Microsoft offers a Port Reporter log-file parsing tool.
Download Port Reporter Parser (prparser.exe) from Microsoft (http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe) and extract the file to a folder of your choice. Run the setup program prpsetup.msi, which will install the application into C:\Program Files\Microsoft\PR-Parser. (Prpsetup.msi requires that you first install Windows .NET Framework 1.1.) Run the application, and select a PORTS log file to analyze. Port Reporter Parser opens the file and parses it into a matrix of data, as Figure 4 shows.
At first glance, the data that Port Reporter Parser provides doesn't look that different from an Excel CSV parse, but actually Port Reporter Parser does much more. You can drill down into any log entry to pull detailed corresponding information from the PIDS file. Additionally, you can filter the data or highlight data according to a set of criteria that you define. You can set criteria based on module name, IP address, ports, user accounts, or host name. When you apply the criteria, Port Reporter Parser highlights matching records in red so that they stand out from the others. Additionally, when you drill down to a highlighted entry, Port Reporter Parser warns you that the data has been flagged and displays a customizable notification.
Port Reporter Parser also provides DNS resolution for logged IP addresses and can perform basic statistical breakdowns in the form of Local TCP Port Usage, Process Usage, svchost.exe Enumeration, Remote IP Address Usage, User Context Usage, Port Usage by Hour, and iexplore.exe Usage. These statistics reveal a vast amount of useful information about the computer's network activity. For example, svchost.exe Enumeration uncovers all the services hosted by svchost.exe, a program that mystifies many users by masking applications in Task Manager under the generic name svchost.exe. Figure 5 shows sample log-analysis data for Process Usage, which reports on the number of network connections that different processes make. The program also lets you open the corresponding INITIAL log and apply criteria that highlights certain ports or applications in that log, for example.
Putting It All Together
Like PortQry, Port Reporter and Port Reporter Parser increase visibility into the network activity on your Windows systems and greatly augment your security toolkit. Port Reporter and its essential Port Reporter Parser sidekick provide insight and data analysis of network activity on a particular host over time. These tools expose information and present it in a unique way to help you discover exactly which applications are using your network.