How to trace TCP/IP connection activity

I noticed an unusual amount of network activity via Windows Task Manager and looked at Realtime Connections under Realtime Graphs.

I found GBs transferred to IP/host below. The transferred amount was continually climbing while I was watching. I rebooted my router and about 15 seconds after reboot, it started transferring again. The local IP shown below is my work laptop, which I was on at the time. I had nothing running that should have been transferring anything.

Here's what I saw in Realtime Connections minus the transferred counts
IPV4 TCP 192.168.1.225:65238 67.208.170.158.nyc.electricfiber.net:443

I have a lot of other connections to the same domain with much smaller transfer stats, all from the same PC.
67.208.170.133.nyc.electricfiber.net:443
67.208.170.151.nyc.electricfiber.net:443

In the future is there a way to quickly determine what is happening when I see large transfers of data? Also, is there anyway to figure out just what I'm connected to?

  • The server is an Outlook Web site
  • The cert's subject CN is uicalaska.com

https://mail.uicalaska.com/

Screenshot%20from%202019-10-21%2012-13-14

First, thank you for the speedy response. Would you please share how you figured that out?

Sure...

From your post above.

I then used a domain (e.g. mail).

By the way, the other IP's cert is https://adcac.uicalaska.com/ ...but there's some odd HTTPS selection working - they may be behind a load balancer of some sort. This adcac hosts fails trying to reach VDCLYNCEDGE01.uic.com.

1 Like

Thanks for the help. This traffic is from my own company. At least that makes me feel better.

1 Like
iftop -i any
tcpdump -i any
whois example.org
openssl s_client -connect example.org:443
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.