Sometimes, after closing all programs -- but still connected to the
internet -- I see a lot of activity on my external modem's status
lights (both tranmit and receive).  Sometimes this goes on for several
minutes.

I'm concerned that some program has been installed on my system that
is transferring data to somewhere.  I've turned off all the
"auto-update" stuff (like getting new anti-virus signatures), and I've
run my antivirus program regularly, but it still occurs.

How can I find out what process is generating or responding to this traffic?

---

Request for Question Clarification by maniac-ga on 30 Aug 2006 18:48 PDT

Hello Lloyd6978,

You may have some spyware or other damaging programs - there are
several answers on GA that describe how to find & remove that kind of
software. Search GA with phrases like
  virus
  spyware
  spambot
and so on if you want to pursue that avenue.

If you want to analyze the network traffic directly I suggest such as
"Ethereal" (now also called Wireshark) which is a very nice network
analyzer. See
  http://www.wireshark.org/download.html
for links to Windows installers as well as links to other system
versions. Download, install, and run. Its pretty obvious how to
capture data, a menu for that with options to select by "interface" or
just "start" to collect on all network interfaces you have on your
system. You should get a window showing the status of the packets
captured displayed. When you stop the capture, the program will pause
a moment to interpret the captured data & display the packets in
order.

On my system with a brief test, it showed no traffic other than VERY
infrequent UDP messages (that will vary by your OS & services enabled)
to discover other hosts until I reloaded a web page. Then it showed
the sequence of messages to fetch the page. I noticed a lot of [TCP
segment of a reassembled PDU] messages on my system, that can be
normal for large message transfers. The items with ACK in them are
acknowledgements of previous messages.

If you get sequences that don't make sense, post some information - primarily
 - indicate if its a send or receive
 - the host talked to (not your IP address) - will vary in the source
/ destination column based on the send / receive direction
 - protocol (the abbreviation like TCP is fine)
 - Info
 - if a TCP message, open up the details in the middle window &
indicate the destination port number
From that kind of information, I can help look up the possible causes
and see if you have some bad actors on your system.

  --Maniac

---

Request for Question Clarification by maniac-ga on 30 Aug 2006 18:58 PDT

Hello Lloyd6978,

Specifically, if you need to test / lock down your system, see the answer at
  http://answers.google.com/answers/threadview?id=568868
which is quite extensive and appears to cover all the bases.

HTH

  --Maniac

To find which process use the traffic:
1: If your OS is WinXP,just typt "netstat -ano" in cmd, this command
will list all pids useing network ports.If your OS is Win2k,you can
download fport.exe on
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
and type "fport /i" also will list all pids.
2:open taskmgr.exe,find out the pid and process name.
3:Lunch any one sniffer that can catch all packets sended or recived
from your computer.Find the ports just listed in step 2,you will find
the process sending or reciveing packets.

Use a good firewall, on windows Zone Alarm (http://www.zonelabs.com)
is good one.It has one-click internet lockdown option too.


Cheers

--arky