October 9, 2003
By Karen Kenworthy
IN THIS ISSUE
I seldom hear from Joe, boy genius and the world's best Internet Service Provider (ISP). Unless he has important news. So when his messages arrive in my e-mail inbox, they get immediate attention.
Good thing, too. A few weeks ago Joe wrote to tell me one of my computers was sending endless streams of data to randomly selected computers throughout the Internet. Joe acted quickly, blocking the errant traffic. But he wanted me to know one of my computers had gone rogue.
New LAN Monitor!
The problem turned out to be a laptop. I retired the computer over a year ago, when my new laptop arrived. But I left my faithful old friend powered on and connected to the network, so I could quickly retrieve any files I forgot to transfer to my new electronic buddy.
As the months passed, I accessed the old computer less and less. Finally, I completely forgot it was still running and online. Naturally, the computer didn't receive any of Microsoft's recommended security updates during this retirement. And this left the poor fellow vulnerable to one of the nasty network attacks that have been so much in the news lately. :(
All's well now. But the experience left me wondering. How many network connections do my computers make, without my knowing? What private conversations do they have, with computers on my local network, and across the Internet?
If this sounds like a good idea for a new Power Tool, we think alike. I went to work, pulled out my programming beanie with the plastic propeller, and wrote Karen's LAN Monitor.
This new program performs three important jobs. First, it examines your computer, detecting any and all network "adapters", and reports several important facts about each adapter it finds.
What is a network adapter? It's any piece of hardware that allows your computer to communicate with others of its own kind. Many adapters are "NICs" (Network Interface Cards), designed to let computers send and receive millions of bits per second over special network wiring or optical fibers. But a humble modem, connected to a local phone line, can be a network adapter too.
Many network adapters let computers communicate over cable TV lines. Increasingly, network adapters are sprouting antennae, turning them into electronic DJ's, spinning stacks of disks for our digital pleasure.
Whenever an adapter is found, the LAN Monitor displays several important bits of information. These include:
Speed: The number of bits per second the adapter can send or receive.
MTU: Maximum Transfer Unit, or the most bytes the adapter can send in a single transmission. Larger messages must be broken down into two or more parts, each containing no more that "MTU" bytes.
MAC Address: Also called the adapter's Physical Address, this 48-bit binary number uniquely identifies the adapter. No two adapters, in all the world, share the same MAC address.
DHCP Enabled: This setting tells us if the adapter receives its Internet Address (IP Address) and other settings from a special DHCP (Dynamic Host Configuration Protocol) server. Computers using dial-up, cable modem and DSL connections usually rely on DHCP servers at their Internet Service Provider. Computers connected to corporate networks often use company- owned DHCP servers.
DHCP Server: If DHCP is enabled, this reveals the IP Address of the DHCP server that assigned our computer's settings.
Lease Obtained, Lease Expired. The configuration information provided by a DHCP server is valid for only a short time -- usually several hours to a few days. These two entries show when the current configuration information was obtained, and when it expires and must be renewed.
Default Gateway: Our computer can directly access other computers on the same local area network (LAN). But it needs help when communicating with a computer elsewhere on the Internet, or on a different LAN. This help comes from well-connected relay devices called "Gateways" -- computers or routers with multiple network adapters. Their extra adapters allow gateways to communicate directly with computers and networks our computer can only dream about.
Adapter fun facts are great. But the LAN Monitor has much more important work to do. Once it's determined how your computer communicates, it can monitor those dialogs, detecting and identifying each connection!
Just click the program's Display button, and you'll soon see a list of all active computer-to-computer connections. Under the heading "Remote Computer" you'll see the name of each computer who has your computer's attention. These may be web sites you're visiting, e-mail servers where your messages are stored, or a computer on the LAN whose printer or disk drive your computer uses.
You'll also see "Domain Name Servers", computers that convert human- readable computer names into a computer's numeric IP (Internet Protocol) address. If your computer occasionally connects to a remote service, to obtain the exact time of day, you'll see those connections come and go. Right now, my copy of LAN Monitor is reporting two connections to the karenware.com web site, allowing me to edit web pages and upload new files.
In addition to the remote computer's name and IP address, you'll also see the "ports" used by each connection.
What's a port? As you'll recall, every computer attached to a LAN or the Internet must have an "IP address". This number uniquely identifies your computer, the same way your street address uniquely identifies your home.
All mail arriving at your house bears your home address. After all, that's how the postman knows to bring the letter to you. Likewise, all network messages reaching your computer contain your computer's IP address.
Your computer's address also appears in every outgoing message. Like the return address on mail you send from home, this address allows recipients to reply to your computer's missives.
IP addresses are vital. Without one, your computer couldn't take part in the world-wide, or LAN-wide, party lines we call networks. But an IP address by itself isn't enough. To see why, let's look again at good old paper mail.
When a letter arrives at home, its sports more than just your street address. In most cases, it also has the name of a particular person living at that address. This allows senders to direct their bills, love letters, reminders, and catalogs to a specific people -- the ones who most need the information being sent, and can understand its contents.
You may want to check, but you probably don't have people living inside your computer. However, several programs do call your bit box their home. In fact, when you come right down to it, computers don't do much talking. It's the programs inside a computer that communicate with one another.
So, how does a program on your computer contact a particular program running on another computer? It borrows an idea from the postal service. In addition to the remote computer's IP address, your program's outgoing data includes a "port" -- a 16-bit number that names the type of software that should receive and process the message.
An organization called IANA (Internet Assigned Number Authority) allocates ports. For example, IANA decrees that web server software should respond to incoming messages sent to port number 80.
Of the 65,536 possible numbers, ports from 0 through 1,023 are called "Well Known Ports". Originally, these were used to identify common network programs, such as e-mail servers (port 25 for programs that relay outgoing e-mail, port 110 for programs that deliver incoming messages).
Today, many of these ports are obsolete, or at least not as common as they once were. For example, port 70 is reserved for "Gopher", a file location service popular in the early days of the Internet. Programs that provide randomly chosen words of wisdom, called "Quote of the Day", can be contacted at port 17.
Ports between 1024 and 49151 are called "Registered Ports". For the most part, these are reserved by various companies for a particular program or purpose. For example, Microsoft's SQL Server listens for messages addressed to port 1433, while their X-Box video game uses port 3074. Need to contact a program that supports the "Reverse Gossip Transport"? Try port 1431.
The remaining port numbers, from 49152 through 65535, are called Dynamic or Private Ports. Send a message to one of these ports, and there's no telling what sort of program will respond. Often, these ports are used by custom programs that run on a company network. You'll also see these ports used by your computer, to temporarily identify one of your programs when making an outgoing connection.
The official list of port assignments is updated regularly. You can view or download a copy from IANA's web site at:
Or you can let the new LAN Monitor interpret your port numbers. It recognizes all Well Known Ports, and most common Registered Ports. When a network connection uses one of these ports, the LAN Monitor displays the port's name instead of its number.
New URL Discombobulator
There's a lot more to tell about the new LAN Monitor. Like its ability to display real-time communication statistics, the meaning of "loopback" adapters, how the LAN Monitor uses "multiple threads", and more. But those discussions will have to wait. Before you go, I want to tell you about a new update of the URL Discombobulator program.
Two years ago I wrote this Power Tool for my friend, busy Bob. As long- time readers will recall, the program decodes deliberately deceptive web addresses, used by folks who want to conceal their identity or location.
For example, can you guess where this link will take you?
If you guessed Microsoft's web site, www.microsoft.com, you guessed right. The percent signs and numbers are a special way of encoding the characters "www.microsoft.com" - a code understood by all web browsers, but few humans.
That was fun! Let's play again. Look closely at this link. See if you can guess where it points:
Did you guess Microsoft again? If so, this time you're wrong. The URL shown above actually tries to takes you to a non-existent site named "IwantToStealYourMoney.com"!
The new URL Discombobulator uncovers this trick in two ways. First, it decodes the percent signs and numbers, used to hide the URL's true text. Once done, the URL shown above becomes:
Next, the new Discombobulator dissects the decoded URL, separating the individual parts that form the address. Here's the breakdown for our sneaky URL:
Protocol: http (web page) User Logon: www.microsoft.com Computer Name/Web Site: IwantToStealYourMoney.com
Surprised? This trick takes advantage of little-known URL field, the user logon. Looking at the URL, many humans see the text immediately following the "//" characters, and think it's the name of the computer or web site.
But if the URL contains an "at sign" ("@"), the text between the "//" characters and the "@" are actually a user name, used when logging onto the web site. The actual name of the site follows the "@".
Lots of crooks are exploiting these sorts of tricks. They use seemingly harmless links to lure unsuspecting folks to nefarious sites. The next time your tempted to follow a suspicious link found in an e-mail message or on a web site, let the URL Discombobulator work its magic. You just might decide to stay at home. :)
If you'd like to put the new URL Discombobulator to work, or check out the new LAN Monitor, drop by their home pages at:
As always, they're both free for home use. And if you're a programmer, download their free Visual Basic source code too. Some of it's pretty interesting, if I do say so myself. :)
Better yet, get the latest version of every Power Tool, including the new LAN Monitor and URL Discombobulator, on a shiny CD. The disc also contains three bonus Power Tools not available anywhere else. You'll find the source code of every Power Tool, every back issue of my newsletter, and even some of my original Windows Magazine articles! The CD also includes a special license that lets you use your Power Tools at work.
Buying a CD is also the easiest way to support the KarenWare.com web site and this newsletter. To find out more, visit:
Until we meet again, keep your software up-to-date. Don't let your computers hang out with computers you don't know. And if you see me on the 'net, be sure to wave and say "Hi!"
Power Tools Newsletter
- Please don't click SPAM.
- Windows-Key Searching
- Disabling Web Search
- Karen's Directory Printer v5.4.3 Released
33033 Verified Subscribers
Subscribe to receive new issues of the newsletter about Karen and her free Power Tools.Click here to Subscribe