You're sat at your PC. You're not using the internet, and neither is anyone in your house who's connected to the same router as you. And yet the lights on the router keep flashing. Clearly something is sending or receiving data, even though it's not you.
Ever wanted to find out what's doing all that communicating? If so, read on.
It's actually surprisingly easy to "tap" an internet connection and to read all the information that's flowing through it, even if that information isn't destined for (or hasn't come from) the computer which is running the tapping software. All you need is a program called a network protocol analyzer, running on a PC that's connected to the network which you want to tap. And if you want to stay on the right side of the law, it's also recommended that you do this on your own home LAN rather than anyone else's!
The best known protocol analyzer software is called Wireshark. It's a 26 MB download from www.wireshark.org and, according to VirusTotal and Web of Trust, it's safe. It's also free, and easy to get started with.
Once you've downloaded and installed the software, you're ready to begin. Incidentally, you'll find that the installer adds another program to your computer in addition to Wireshark. It's called Winpcap and is an integral part of the program, so it's perfectly safe.
When you run Wireshark, the first thing you'll need to do is to select a network interface that you want to tap. If you're using a desktop PC this will probably be the wired ethernet port. On a laptop you'll probably want to tap the wifi interface.
Once this is sorted, click to start capturing data and watch in amazement as all the activity is shown on your screen. You can see the source and destination address of each "packet" of data, and if you click on the details below that list you can see the actual content of the packet. Unless it was transmitted via an https secure, encrypted connection.
With the data at your fingertips, you can now attempt to find out what's using all your bandwidth. In the screen shot below, the lower part of the image is showing the data from the packet shown at the top which is highlighted with a grey bar. By looking at the content of the packet, it soon becomes clear that Dropbox is the culprit here.
For more tips and tricks on using the program, see http://www.youtube.com/watch?v=y-4UQSXkqig for a good tutorial video.
We are looking for people with skills or interest in the following areas:
Comments
I have an adsl wireless modem/router. My desktop is hard-wired & I have three teens on wireless to it.
We all seem to not be using what the ISP is showing each day (I have Internode & using "mum" to track daily usage).
Is there a way to keep a log of what each PC is using over the course of a day? We have a pretty long & complicated wireless password, so I doubt a neighbour is leeching.
Cheers!
Unfortunately, this just isn't going to work - it would be a good article if it was about analyzing traffic solely from the PC you are investigating but it is completely inaccurate on a modern wired LAN.
"click to start capturing data and watch in amazement as all the activity is shown on your screen."
Even in Promiscuous mode, on a wired connection you will only see traffic to/from your PC plus *broadcast* traffic on the LAN. On a switched network, data not intended for your PC will never reach your network card and cannot be captured. Unless you are connected to an ethernet hub, your PC will not receive traffic not intended for it.
To do this, you would need to introduce either ARP poisoning on your network to impersonate your router or investigate the web interface of your router to find out if it offers any kind of port mirroring - unlikely on any SOHO router although it is available on some entry level Netgear switches.
The best route would be to purchase a switch which supports port mirroring and place it between your router/modem and the rest of the LAN - you can then send all traffic to your PC for analysis. Alternatively, you can build a passive tap with some spare ethernet sockets and cable.
I have one simple question: How diferent is it from the NETWORK monitor in WINDOWS RESOURCE MANAGER?
But isn't it true wireshark only monitors traffic entering and leaving the interface of the machine on which it is running? It does not monitor any other ports on your router. Therefore, it will not really detect how other systems on your network may be "hogging" bandwidth.
However what about packets sent via https? Given that it is after all your own computer, is there a method of tracing that?
I may be that some unscrupulous character is sending info from your PC and using https to prevent you from finding out what's sent