Personal Network Monitor
Personal Network Monitor - PNetMon - was born out of a desire to see what our PCs were up to on the network. You just might be amazed.
Is PNetMon a Monitoring Tool?
Yes, PNetMon displays all local and remote network activity involving your PC. By knowing the normal pattern of network communications for your PC you may be able to spot something that just doesn't look right. What's my computer doing talking to that unfamiliar host in a distant location? With that lead and a little research you just might find that your computer is doing things that you don't want it to do.
The PNetMon display will hopefully be interesting and perhaps enlightening at first, but we realize that you'll need to do some work (or play) on your computer and can't be watching our program all the time. Newer versions of PNetMon include automated protection that runs in the background while you work or play on your PC.
So Is PNetMon a Security Tool?
It's getting there! Today's malware has become increasingly sophisticated. Once it gets past your primary defenses it will often hide it's presence so it can remain on your PC to do its evil deeds for as long as possible. Many computers are infected for long periods of time without their owner's knowledge. The primary defenses available to the average PC owner are to use anti-virus software and keep the operating system and critical applications up-to-date with the latest patches. PNetMon is not meant to replace your existing defenses, but it could serve as a safety net if those defenses fail you.
Modern malware has managed to greatly reduce the effectiveness of signature-based anti-virus tools. And there seems to be no end to new zero-day vulnerabilities being discovered in critical software. But, malware still has at least one weakness that can be exploited. When it manages to penetrate your PC's defenses it almost always needs to communicate with a remote C&C (Command and Control) host (server) for instructions, updates, and/or to send your personal data. Your system becomes a secret member of a botnet to be used for evil deeds without your knowledge. A lot of malware operates this way. Penetrating a system is the hard part so once a system is compromised the perpetrators will typically want to get maximum value out of it by making ongoing, long-term use of your system without being discovered. They can do this by continually updating the malware to hide from new defenses, fix bugs (yes, malware has bugs too), perform new tasks, and attack new targets. All of those subversive tasks usually require malware to communicate with a remote host.
PNetMon employs a blacklist to determine potentially malicious hosts. When communications with a blacklisted host are detected the PNetMon client will alert you as well as add rules to Windows Firewall to block that host. These new "alert" and "auto block" features are available in the latest version of PNetMon.
Who Maintains the Blacklist?
Fortunately, security researchers and others have been actively identifying and cataloging known malicious hosts. As a result there are several blacklists available online that identify known malicious hosts by their IP addresses. These lists are dynamic and are typically updated many times per day at regular intervals. The site firehol.org offers several blacklists compiled from various online sources with an added focus on minimizing false positives. PNetMon uses the FireHOL level3 blacklist to identify potentially malicious hosts. This blacklist tracks hosts involved in attacks, spyware, and viruses. It contains over 65,000 IP entries that identify over 155,000 unique host IP addresses.
Why not just block all blacklisted hosts with the firewall?
Some businesses do that to protect their corporate network using dedicated firewall equipment. But the average PC firewall might get bogged down with over 130,000 new rules added to it. That's one rule to block inbound traffic and one rule to block outbound traffic for each of 65,000+ entries in the blacklist. Plus, some blacklist entries specify a range of IP addresses (called an "ipset"). Also, the blacklists are dynamic so rules would need to be frequently updated to match the latest version of the blacklist. You would need a special firewall to handle this task. PNetMon has been designed to automatically download and fully utilize the latest FireHOL blacklist without user involvement.
The reactive method used by PNetMon may let a few packets sneak through before the rules are set in the firewall, but your firewall will then block all subsequent attempts at communication with the blacklisted host. Rules added to your firewall by PNetMon are clearly identified and you can easily delete them with the 'Windows Firewall with Advanced Security' app. Check our support page for more information.
What About Adware?
There are many organizations out there whose main purpose is to track and follow what you're doing. They want to learn your surfing habits so they can do targeted marketing campaigns. Some of us don't mind that too much and some of us don't like it at all. Since these sites are generally not considered malicious they will not usually trigger alerts. But, it can be a real eye-opener to watch PNetMon while visiting your favorite web sites.
How Does PNetMon Work?
PNetMon consists of two components -- a service that runs in the background collecting your PC's network activity and a client program that you run whenever you want to see activity. This design serves two purposes -- first, it eliminates the need for the client program to have Admin privileges and second, it allows PNetMon to maintain a running list of recent activity even if you forget to run the client program. When you start the PNetMon client program you'll see all network activity that has occurred over the recent past. You can also now set the client program to auto-start at Windows boot-up.
PNetMon does not invade your computer with special drivers and other components that can destabilize your PC. It uses standard Windows API calls to gather network information. The PNetMon service is written in C++ for maximum performance. The client program is written in C#.
PNetMon is a Personal Network Monitor -- it does not see other activity on the network unless your PC is involved. PNetMon examines only the headers of network packets going in and out of your PC. It does not access the data portion of those packets. Furthermore, information on connections to remote hosts is kept for only short periods of time. The Windows event log is only used to record service start/stop and alert events.
Example of program display
A Tool for the Average PC User
There are many very good network scanning and monitoring tools out there for security professionals. In most cases they are complicated to use and relatively invasive to the target PC. Unlike PNetMon they're not meant for the average PC user who just wants some idea of what their PC is doing on the network.
It's Free!
PNetMon in its current form is free to download and use without restrictions, subject to the license agreement. If you would like to support our efforts to maintain this software and continue to make it freely available we would greatly appreciate it. See our Buy/Reg page for more information.
The latest version of PNetMon with blacklisted host alert and auto-block features is now available for download. We've been busy making many improvements and fixes to this software -- visit our support page for details. Please visit our download page to get it.