This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to see what on my computer is requesting a webpage to be opened?

0

http://websearch.linksys.com/?eg=-1367549799&job=blank

...is the site my computer keeps opening. If its already opened, Chrome will open up a new tab and will continue to do so.

If I leave my computer sitting idle for a while, I can come back and find 5+ tabs opened up in Google Chrome to the address, even if Chrome wasn't opened when I left my computer. Changing the default browser also does nothing. It'll just continue to open the same page in, say, Firefox or whatever I change the browser to.

I've blocked the IP to the site in Windows Firewall, and that doesn't stop it either. Chrome just informs me that it can't connect to the website. And it will continue to open up new tabs regardless.

Is it possible to use Wireshark to find out WHAT exactly on my comp is trying to open this stupid website?

asked 09 Sep '11, 09:22

whaevr's gravatar image

whaevr
1111
accept rate: 0%

edited 11 Sep '11, 13:22

helloworld's gravatar image

helloworld
3.1k42041

That sounds like malware (or a virus). You could hunt down the offending process (with several free tools) and get rid of it. If it comes down to it, you could reformat your machine. Be sure to take steps to avoid this problem.

(11 Sep '11, 13:32) helloworld

One Answer:

1

Yes, it might, but it could require good timing, because Wireshark alone doesn't help with the association of program to network connection. But if you run Wireshark you can see the communication start, and with that you'll see the TCP source port your computer is using.

Now, while the browser is still trying to get the page, you need to run netstat -ano on the command line, which will list IPs and Ports as well as the Process IDs (PID) on the column to the right. Then, within the Windows Taskmanager, you can look up the program using this ID (you'll probably have to add the PID column first, because by default it is not shown).

Alternatively you can try netstat -anb, which will try to find the program name instead of the PID, but it is a lot slower (meaning that the port in question might already be closed again when it actually gets to it, giving no results).

Or you could use Microsoft NetMon, which can associate Program and Port while it captures.

Good luck!

answered 10 Sep '11, 03:28

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%