I came across a very useful tool for logging port use in Windows. It is called the Port Reporter. This tool runs as a service on a Windows 2000, XP, or 2003 computer. It logs all TCP and UDP port use to log files. A seperate utility called the Port Reporter Parser provides a nice GUI interface for viewing the log files and analyzing the data.
A detailed Microsoft Knowledge base article on the Port Reporter can be found here.
The Port Reporter can be downloaded here.
The Port Reporter Parser can be downloaded here.
To install both of these tools, first download them. Then when you first run the setup you will have to extract the files to a temporary folder, and run the setup from there. Port Reporter is installed as a service, but its startup type is set to manual. It can be started by going into the services and clicking start.
The log files are stored by default in the c:\windows\system32\logfiles\portreporter folder. The tool makes three log files. One is an initial log file, that logs the ports, processes, and modules that are in use when the service starts. The next file logs when a port is used. It captures: date, time, protocol, local port, local IP address, remote port, remote IP address, PID, module, and user context for each port connection that is made. The last log file captures detailed information for each use of a port. The port reporter by default will start a new log when a file reaches 5mb in size.
I found that after running the service for a day that it stored about 40mb of log information. Of course I use Firefox, IE, IM, remote desktop, vnc, ssh, and plenty of different network stuff all day long, so I would expect the logs to be huge. I would not recommend using the Port Reporter all the time, but instead you should run it for a day to get a good idea of the different connections that you computer makes. Then when you need to log port use, perhaps to try to find a trojan, or another security problem, you know what should be normal.
The Port Reporter Parser is a great tool for digging through the log files. Instead of opening up the logs in notepad, this tool will neatly display the log in a grid, with sortable columns. It can analyze the data and display a wide variety of statistics. Double clicking on a record in the main grid will bring up its associated module information from the larger log.
In conclusion, I have not used this program for very long, but it logs a wealth of great information that would be very helpful for detecting attacks and security breaches. For example, the tool could be installed on users computers, and the logs analyzed to determine if the user has installed malware, or some unwanted programs on there computer. It would also be useful for logging port access on a server.
0 Responses to “Port Reporter, a Windows tool for logging port use”
Leave a Reply