With the impending hard cap coming soon I though it might be useful to post some information about how to monitor what's using up the bandwidth on you ADSL (or other broadband) line.
First up, don't expect this to be a golden bullet to solve all your unexplained traffic problems. It will provide you with some useful information, but analysing the information is always the most difficult part.
Just so we're clear, this mini-tutorial is going to get you to a point where you can see all the network traffic that is flowing in and out of your network card. You'll be able to see who is connecting to your computer, who your computer is connecting to and how much data is flowing in and out of each connection.
To start you need to install some software.
Winpcap is a network monitoing library that can monitor the raw data packets coming in and going out your computer and make the information available to any client program that want to use it. Download and install it.
Once Winpcap is installed you need a client program that displays the network traffic that is coming in and going out.
There are a lots of client programs that you could use, just have a look at the list here to see some of them.
The one I'm suggeting you use is called Show Traffic and you can find it about 2/3rd's of the way down the page above. The download link is here . I choose it because it's really simple to use, not neccesarily simple to understand, but once you get the basics down it become easier.
So now you've installed it and you run it and.... nothing happens!! Don't worry. By default it will not monitor your traffic unless you ask it to (there is a small performance overhead involved in traffic monitoring, so don't leave it running all the time.)
At the top left of the sceen is a drop down list where you need to select the network interface that you want to monitor. If you are using a router then it will be the network card that the router is plugged into. If you have a modem (ADSL , ISDN or other) then you will need to chose the interface that matches with your modem. Once you selected which interface to monitor press the green arrow just to the right of the drop down list. Now you should see some activity in the main screen as packets are sent and received. The main screen shows all the comings and goings of the network traffic on the interface you selected.
Right, so that's the end of the tutorial. Good luck with you traffic monitoring
Only joking, right now is when you realise that seeing what traffic is flowing through your network is the easy part, analysing the traffic is the hard part.
Lets start by making everything a bit more readable. Press F11 and F12 on your keyboard or else click the green NS button and the red and blue 21FTP buttons on the toolbar. This turns on name resolution of the IP addresses so the Source and Destination columns should change from IP address to real names. It's always easier to get some context from name than a number. It also changes the src port and dest port columns to display port names instead of the port number.
I guess the next step is to explain how the internet works, what IP addresses are , what ports are. I'm not going to do that, it's just too big to explain.
What you need to do is look at the data being generated in the main window, especially the Traffic column. If the Traffic value is high (and keeps getting higher) then that is what is using your bandwidth. Just a heads up, traffic between your computer and your router (if you have a router) does show up here as well and is likely to be high. Elimninate it from your investigations before you go any further (it's free, so it doesn't count).
If you open web browser and download a page you should see traffic on the http port (port 80). The Source and Destination columns should show your computer name and the name of the website you are connecting to. If you are doing an ftp download it will show up on the ftp port (21). If you google 'tcp/ip ports' and port number or name in the src or dest column you'll find losts of lists of ports and there meanings. Use those to figure out where the traffic is going to or coming from.
Here's some red flags you should be looking for. Port 25 (smtp) is used to send email. If you have a spamming trojan on your computer it will be sending out a lot of traffic on this port. A lot of trojans use IRC port 6667 to 'phone home'. If you see this port showing up and you don's use IRC, be suspicious.
And then the obvious, if you're not doing anything then there shouldn't be any traffic showing up. Sit back and do nothing for a minute while watching the main window. You should see it dying down slowly until there is nothing showing. If not, then something (or someone) if using your bandwidth without asking.
OK, so now you're ready to go ahead and analyse.
If you have any questions, comments or suggestions please post them to this thread and I'm sure they will get answered.