Are you an amateur analyst or security enthusiast looking for free tools to do some basic Internet traffic monitoring? You’ve come to the right place. Not everyone is versed in the use of robust tools like Wireshark (even though it is worth the trouble of learning if you have to do network traffic analysis on a regular basis). So let’s take a look at some free, simple tools to get started.
There are several alternatives to Wireshark for Windows systems, and we will shed a little light on the ones that we like the most. Each has its own strength, and therefore it will depend on your specific needs to select the program that’s right for you. We have focused on tools that you can use on a local system and that run on the same system, to the exclusion of remote traffic monitoring and network monitoring software.
URL Revealer by Kahu security
URL Revealer is a web proxy that will capture requests and then drop them. I use it primarily to find out what a script or program is trying to download, especially when I have no interest in the files it’s trying to download. This happens a lot when we already know what malware will be downloaded but want to know the domains they’ll be coming from (so we can block them). The program is a command line utility. You can use the –o switch to write the log to a text file, from which you can easily harvest the resulting domains. The beauty of the dropped requests is that any dropper or downloader will assume the download it tried first is off-line and will move on to try the next one. This way you can grab all the options the downloader tries without getting actual malware on your system.
TCPView and Tcpvcon by Microsoft sysinternals
TCPView is a program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and the state of active TCP connections. Since TCPView also shows you which program is responsible for which connection, it is very suitable to figure out which process is communicating on that strange port you noticed.
The program Tcpvcon that comes with TCPView is a command line utility which is very similar to netstat. The –c switch exports the output as a CSV file.
Fiddlercap by Telerik
Fiddlercap is the little brother of Fiddler, and it’s so easy to use that specialists often ask users to use it and capture a small portion of traffic so they can remotely analyze if there are any bugs. The tool creates a .saz file, which allows the specialist to replay the events in Fiddler or Wireshark. This is ideal to find bugs on sites or observe strange browser behavior. Fiddler itself is a free web debugging proxy for any browser, system, or platform. But there’s a bit of a learning curve to use its full potential.
BitMeter 2 by Codebox Software
If you are only interested in how much of your bandwidth is being used—maybe because your ISP has restricted your usage—then BitMeter 2 might be what you are looking for. It displays your current usage and you can set an alarm to warn you when your usage reaches a certain percentage of your cap.
Built-in Windows tools
It’s sometimes easy to forget Windows comes with built-in tools like Resource Monitor that can show you the current usage by the application on the Network tab.
And if you’re running Windows 10, you can use the App history tab in Task manager to see the usage from the date when Windows 10 began monitoring your apps. You can also click the Delete usage history link to reset the data usage counter, otherwise it will reset automatically every 30 days.
Do you have your own favorites? Please let us know about them in the comments! But, no URLs please, or your post will be “automagically” blocked by our filters.
This is a Security Bloggers Network syndicated blog post authored by Pieter Arntz. Read the original post at: Malwarebytes Labs