Question about svchost

I was wondering if someone could help me figure something out.

When running TCPView, I'll see svchost establishing connections to
places that I don't recognize. And I was wondering if there is a way I
could find out ~why~ it's connecting to these places.

For instance today.. I logged on and my firewall alerted me that
svchost wanted to connect to download.windowsupdate.com. Okay, fine..
I accepted. It connected and there were no updates. But while watching
TCPView.. svchost connected (without alerting me) to a different IP
(195.10.34.87 :80). I couldn't find any info on that IP so I checked
my Process Explorer and saw that svchost was connected to " rsvd-
akamaiint-87.34.10.195.in-addr.arpa:http ".

I sat there and watched as over 10 megs of data was being received by
my computer and about 800k was being sent out. I didn't see an
automatic update icon appear as it normally does when downloading
updates.. so I wasn't sure what kind of data was being exchanged.

So I logged off and reconnected. Now svchost has connected again
(without any alert from my firewall) to 72.247.127.51:80.. which is
AKAMAITECHNOLOGIES.COM and has begun sending and receiving data once
again with no auto-update icon showing.

Is there ~any~ possible way to find out what kind of data is being
sent or received by my computer when this happens?

Please help?

Re: Question about svchost

Post removed (X-No-Archive: yes)

Re: Question about svchost

thx1138xxix@yahoo.com wrote:

> Is there ~any~ possible way to find out what kind of data is being
> sent or received by my computer when this happens?
>

You use a packet sniffer like Ethereal (free) or other ones that are free.

Also, as you can see, the personal FW or personal packet sniffer can be
circumvented and defeated with ease under the right conditions.

That's why you use the tools in the link and look around from time to
time with the tools in the link.




Svchost.exe is just the messenger, which does the bidding for the O/S
programs and other programs that want to connect on a network, such as
the Internet.

You use Process Explorer, which allows you to look inside and program
and see what other programs/processes are being hosted by a given
program/process, and the other tools such as TCPview.

Re: Question about svchost

Also, as you can see, the personal FW or *personal packet sniffer* can
be circumvented and defeated with ease under the right conditions.

Also, as you can see, the personal FW or *personal packet filter* can be
circumvented and defeated with ease under the right conditions.

Re: Question about svchost

On Mar 4, 7:41 pm, thx1138x...@yahoo.com wrote:
> I was wondering if someone could help me figure something out.
>
> When running TCPView, I'll see svchost establishing connections to
> places that I don't recognize. And I was wondering if there is a way I
> could find out ~why~ it's connecting to these places.
>
> For instance today.. I logged on and my firewall alerted me that
> svchost wanted to connect to download.windowsupdate.com. Okay, fine..
> I accepted. It connected and there were no updates. But while watching
> TCPView.. svchost connected (without alerting me) to a different IP
> (195.10.34.87 :80). I couldn't find any info on that IP so I checked
> my Process Explorer and saw that svchost was connected to " rsvd-
> akamaiint-87.34.10.195.in-addr.arpa:http ".
>
> I sat there and watched as over 10 megs of data was being received by
> my computer and about 800k was being sent out. I didn't see an
> automatic update icon appear as it normally does when downloading
> updates.. so I wasn't sure what kind of data was being exchanged.
>
> So I logged off and reconnected. Now svchost has connected again
> (without any alert from my firewall) to 72.247.127.51:80.. which is
> AKAMAITECHNOLOGIES.COM and has begun sending and receiving data once
> again with no auto-update icon showing.
>
> Is there ~any~ possible way to find out what kind of data is being
> sent or received by my computer when this happens?
>
> Please help?

ARIN can be your friend:

http://ws.arin.net/whois/?queryinput=72.247.127.51
http://ws.arin.net/whois/?queryinput=195.10.34.87 (Of course you can
go further to see who RIPE is providing the IP to based on ARINs
info .... http://www.ripe.net/whois?form_type=simple&full_query_string =&searchtext=195.10.34.87
..... looky it's AKAMAI-TECHNOLOGIES again).

Further google is your friend, if you didn't know a quick search would
reveal that MS is a significant customer of Akamai.

Re: Question about svchost

On 5-Mar-2007, kingthorin@gmail.com wrote:

> MS is a significant customer of Akamai.

Is it just me, or does anyone else wonder why _MS_ needs someone else to
help them with their computer networking?
You would think that they would have the hardware and knowledge 'in house'
as it were.
Just a random wondering, we now return you to your regularly scheduled
insanity.

--
FUD 4 ever!

Re: Question about svchost

In message
"ArtDent" wrote:

>
>On 5-Mar-2007, kingthorin@gmail.com wrote:
>
>> MS is a significant customer of Akamai.
>
>Is it just me, or does anyone else wonder why _MS_ needs someone else to
>help them with their computer networking?
>You would think that they would have the hardware and knowledge 'in house'
>as it were.
>Just a random wondering, we now return you to your regularly scheduled
>insanity.

It's often cheaper to outsource then to build your own infrastructure.
--
Insert something clever here.

Re: Question about svchost

Post removed (X-No-Archive: yes)