I woke up too early the other morning and could not get back to sleep. I gave up, got up, and wandered blearily to my office. I turned on my computer and left it while I made myself some breakfast. Finishing that, I opened up Chrome and was about to go to email when I paused. Nothing was happening on my computer, but lights were flashing now and then on the router, so I logged into it to see what traffic was passing through it.
As it turned out, not much of anything. Because I use Chrome there were a surprising amount of outgoing connections to Google and a few other things like Dropbox and others that I recognized, but nothing suspicious. If there is any malware on my computer, it certainly wasn't active at that time.
Of course most of the time there is much more going on. The Active Connections list might fill several pages. It could be hard to pick out possibly "bad" connections from all the noise. There are some things to look for, though.
You may have noticed that I added "Destination Port" to the visible columns. Looking for unusual ports is one easy check. Most legitimate connections are to the so-called "well-known" ports and most of those today are likely to be http or https. Mix in a few email connections and that's probably 99% of your outbound connections.
Looking for common ports that shouldn't be being used by certain machines is another - for example, a printer/copier probably shouldn't be making an HTTPS connection. Inbound connections are also something to look at carefully - you know (or should know) which machines do accept inbound traffic; anything else is definitely suspect.
You should have traffic rules that block unexpected traffic - for example, nothing but your mailserver(s) should be allowed to make outbound connections on SMTP ports.
You may also want to turn on the Rx and Tx columns. Seeing high byte counts there might be another indication of suspicious activity. Of course this might just be a legitmate download like a software update. A high number of Tx bytes might be more suspicious.
Looking at these connections from time to time can help you learn what is normal and expected. Another place worth looking is the WAN traffic chart. Unusual peaks of traffic at unexpected times may alert you to unauthorized behavior.
In the case shown here, that was just me upgrading my Mac OS software, but seeing that burst otherwise would have caused me to launch a serious investigation.
If you found something useful today, please consider a small donation.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2015-05-12 Anthony Lawrence
Better to fight for something than live for nothing. (George S. Patton)