What's New

PNetMon - Support

Click on a section below to view its contents...

A quick guide to using PNetMon

  • Installation will install a service and a client application called PNetMon. The service (PNetMonSvc) continuously monitors network activity of the computer on which it is installed. An icon on the desktop is used to run the PNetMon client to see monitored network activity. The service will start automatically at PC boot up. You can stop and start the service manually via the Services window if you like. The client will display a message if the service isn't running and will wait for it to start.
  • The PNetMon display shows network activity with the most recent activity shown in white text and less recent activity shown in a teal color. You can change the default colors via the Appearance menu item.
  • The entries displayed and their sort order depends on the Filter>Collapse List menu option:
    • If Collapse List is not checked then a list of all activity down to the IP port level is displayed with the most recent activity appearing at the top of the list by default. This is the least filtered option and will usually result in a list that is extremely long.
    • If Collapse List is checked and the By Proc ID + Host IP Addr filter mode is selected then a list of all activity down to the remote IP address level is displayed. The list is sorted by Proc ID (Windows process ID) and Host IP Address.
    • If Collapse List is checked and the By Proc ID filter mode is selected then a list of activity down to the Proc ID level is displayed. This mode will display only one entry for each Windows process ordered by Proc ID and provides the most compact listing. The remote host shown for each Proc ID represents the most recent communications activity for that process, which will likely change with every refresh.
  • Click on a list heading to override the default sort and sort by that heading. Click the Unsort menu item to restore the default sort. You can drag columns to reorder them.
  • The PNetMon display window is now fully user adjustable in size and will provide scroll bars as needed.
  • Display columns will automatically adjust in width to accommodate the data.
  • The display will refresh every few seconds -- auto refresh can be turned off and on via the Refresh menu item.
  • Clicking on a row will pop up detailed stats for the row. Dismiss the stats by moving mouse cursor off the pop up.
  • The default display shows the following fields:
    • Program — the name of the program running on your computer that is communicating
    • Host Org — the resolved whois name of the organization operating the host involved in the communication
    • Host URL: — the resolved url of the host involved in the communication. Note: in the default "collapsed" display mode all hosts from the same organization are shown in a single line. Therefore, the url shown is one of possibly many hosts from that organization. To see all hosts separately, check Collapse List in the Filter menu and select the By Proc ID + Host IP Addr filter mode. 
    • Host Country — the resolved whois country of the host organization. Note: this will not necessarily be the location of a specific host, but is the location on record for the responsible organization.
  • Stealth Mode allows the display of activity on a single monitor without interfering with other windows on the desktop. In this mode the PNetMon window becomes partially transparent to the eye and completely transparent to mouse or keyboard input. To interact with PNetMon after Stealth Mode occurs just click on the "world" icon in the Windows Notification Area to restore the normal window.
  • Stealth Mode is activated under the Appearance menu. When activated the program will enter Stealth Mode within a few seconds of a shift of focus to a different program window. You can minimize PNetMon with Stealth mode enabled to hide its Task Bar icon and avoid it shifting to a transparent window. Setting Stealth Mode opacity to 100% will also prevent shifting to a transparent window. Click on the "world" icon in the Windows Notification Area to restore the transparent window to a normal interactive window.
  • When Stealth Mode is enabled the window Close (X) button will minimize the window rather than close the program. When in Stealth Mode menu option Program>Exit can be used to terminate the client program.
  • PNetMon uses your network connection only to do host lookups and to occasionally download the host blacklist. PNetMon lookups are by default filtered from the client activity list. To see that activity uncheck No Lookup Entries in the Filter menu. PNetMon uses several resources to do host lookups, including Windows function GetHostEntry as well as online resources: ipinfo.io, ARIN, RIPE, APNIC, AFRINIC, and LACNIC.
  • PNetMon does not communicate your network activity to anyone other than to the current user of your computer via the client display. PNetMon does not maintain a log of network activity. It does use a cache to reduce repeated host lookups.
  • The new Auto-Alert and Auto-Block features are enabled by default (see note, below). You can enable/disable those under the Program menu item. Disabling Auto-Alert prevents window pop-up and the alert sound when a blacklisted host is detected. If Auto-Block is disabled then an alert won't add firewall rules to block the blacklisted host.
  • A new Auto-Start feature can be enabled to cause the client program to start automatically when Windows boots up. The program window will automatically minimize after an auto start.
  • If you'd like to support our PNetMon development efforts you can donate whatever amount you want on Buy/Reg web page, or select Program>About within the program. Thank you!

NOTE: The client program must be running for the alert and auto-block features to work! You can minimize the client window. If communications with a blacklisted host is detected PNetMon will optionally add blocking rules for that host to Windows firewall, sound an alert, and pop up the program window for you to see the alert. So called "flagged" hosts are displayed at the top of the list by default. PNetMon downloads the latest version of the blacklist each time it starts and roughly once per hour thereafter for as long as the client program is running. The blacklist used by PNetMon is compiled and maintained by FireHOL (http://iplists.firehol.org).

FAQ

What does a row in the display represent?

Each row represents a "connection" or end-to-end communication between your PC and a remote computer (host). The key elements of a connection are the local process involved (Proc ID) and the remote host IP address and port number.

What is "Proc ID"

A Proc ID, short for "Process Identifier", is how Windows uniquely identifies running processes. An executing program can have multiple processes, which is why you'll often see the same Program listed in many rows.

What does Unsort do?

You can sort the display list by a specific column by clicking on a column header. Click the header again to reverse the sort on the column. Unsort resets to the default sort based on the Filter Collapse mode chosen. An uncollapsed display is sorted by Last Pkt Time, which is the time of the most recent packet sent or received. A display collapsed to Proc ID is sorted by Proc ID. A display collapsed to Proc ID + Remote IP is sorted by ProcID and Remote IP.

What does Clear do?

Clear will wipe all collected connection data. It clears all buffered service data as well as the displayed data. Collection then begins again with a clean slate.

What is the effect of auto-block?

When an alert occurs and auto-block is enabled the client program will tell the firewall to add rules that block the blacklisted IP address for both inbound and outbound traffic. A few packets may be exchanged before the block is in effect, but once in effect no further communications with that remote host will be possible. Future attempts by programs to talk with that IP address will no longer appear in PNetMon's display because the blocked packets never reach the network.

Is an auto-blocked IP address permanent?

No. Blocked IP addresses are eventually unblocked once the cache record for that address expires within PNetMon - about 3 days as currently configured. Once unblocked the IP address can become blocked again if there are communications with it and it's still in the blacklist.

How do I remove an auto-block?

You can manually remove a block using Windows Firewall. You must remove both the inbound and outbound rules. Click Start and type firewall. Click on "Windows Firewall with Advanced Security". Click on Inbound Rules, click on the Name column to sort by name, then type the letter P. You'll see entries labeled "PNetMon" if there are active auto-blocks in place. The name also includes the IP address. Select the entry and hit Delete. Next, click on Outbound rules and repeat the steps.

Will PNetMon affect network performance?

We have not seen any impact of using PNetMon under normal circumstances. The service may have an impact on very high throughput network operations, such as for online multiplayer FPS games. You can open Services and stop the PNetMonSvc while doing those types of operations.

Can auto-block prevent an infection?

PNetMon does not replace your anti-virus software nor does it eliminate the need to patch vulnerabilities. It can alert you to a likely infection and potentially disrupt operation of malware on your PC by blocking access to the malware's C&C (Command and Control) server. However, we cannot and do not guarantee that it will protect your PC from an infection. The FireHOL blacklist used by PNetMon is updated multiple times per day and PNetMon updates its list roughly once per hour. Despite frequent updates the blacklist probably won't contain malicious hosts for newer malware campaigns. Security researchers often have to analyze associated malware code to identify hosts used by the malware. We're very interested in hearing about your experiences with using PNetMon!

How should I handle an alert?

An alert does not necessarily mean that your PC is infected. One limitation of the blacklist is that it doesn't specify port numbers. The typical internet server at a specific IP address can perform a myriad of different services, which are designated by port numbers. Multiple physical servers may also be sharing the same IP address. Only a single service at the IP address might be associated with malicious activity, but the entire IP address must be blacklisted. If you get an alert take note of the program identified in the alert as well as the Host Org and Host Country. Keep in mind that recognizable hosts (e.g., an alert with a Host Org of "Google") might be compromised for periods of time so a familiar name doesn't necessarily mean that it's a false alarm. We recommend keeping auto-block enabled.

There was an alert and now one of my programs isn't working and/or I can't visit a specific website

If a block is interfering with a known good application on your PC or with a known good website then you can manually unblock it (see above). Keep in mind that programs can be infected and trigger the alerted communications. Also well known websites can be compromised for periods of time.

Feedback Form

Users can report issues or ask questions using the form below. Or, just send us an email. Thanks.





Recent Program Updates

July 30, 2017 -- PNetMon v3.72 is now available for download. This new version includes the following updates:

  1. Fixed: display entries not expiring causing performance issues
  2. Fixed: display remained blank on startup is auto-refresh disabled
  3. Fixed: unable to scroll display with auto-refresh enabled

July 26, 2017 -- PNetMon v3.70 includes the following updates:

  1. Added: an Auto-Block feature - client can now set blocking rules in Windows Firewall for a detected malicious host
  2. Added: new Program menu options - Auto-Alert, Auto-Block, Auto-Start, and Exit
  3. Added: blacklist now updates roughly every hour instead of only at program startup
  4. Fixed: client program could hang or crash after an alert
  5. Fixed: some user menu options were not retained between program runs
  6. Fixed: client program would hang if service not running
  7. Fixed: now use FireHOL Level3 blacklist instead of Level1. This should greatly reduce extraneous alerts
  8. Fixed: now support FireHOL blacklist "ipsets", which specify a contiguous range of IP addresses
  9. Fixed: some connections could be attributed to the wrong program module name
  10. Fixed: window position/size not saved on forced Windows shutdown
  11. Fixed: it was possible to get stuck in opacity preview when selecting a Stealth opacity setting in menu
  12. Fixed: custom colors defined in color picker were not being saved between program runs
  13. Fixed: a couple of issues with Program Name Filter menu option
  14. Fixed: alerts did not occur if refresh was disabled. They do now
  15. Fixed: improved client performance for refresh and user interface
  16. Fixed: improvements to install and uninstall
  17. Fixed: inactive connection info is displayed for a longer period of time before being removed

February 10, 2017 -- PNetMon v3.43 includes the following updates:

  1. Fixed: recent .NET updates caused IP host name lookups to fail
  2. Fixed: client window auto-sizing caused excessive jumping of the display during refreshes
  3. Fixed: Column Pkts In (packet in count) was missing packets
  4. Fixed: better recognition of local, multicast, and broadcast IP addresses
  5. Fixed: greatly improved performance of client refresh
  6. Fixed: activity that could not be resolved to a specific Windows process was lost - it is now attributed to the OS and displayed as Proc ID '0'
  7. Fixed: working data was restricted to what the user chose to display, which could cause activity to be missed
  8. Added: Alert feature - client now alerts user when their PC communicates with a blacklisted host. The alert will work regardless of what the user chooses to display in the client.
  9. Added: user can now re-size, minimize, maximize, and restore client window.

Known Issues

August 22, 2017 - on systems localized to non-English languages the PNetMonSvc service may fail to run with error 1075. Version 3.73 has been released to correct this porblem.

July 30, 2017 - display entries are not expiring as expected causing performance issues if program runs for a long period of time. Install the latest download to correct this problem.