Network traffic .. what for??

[klugschwätzer]

Hi everybody.

I recently observed that the Everything.exe has two processes in the Windows ressource monitor using network traffic. About 1000 B/s only in all, but this all the time. So this has noting to do with an update check or other.

Unexplained traffic always is suspicious so I would like to know where this traffic comes from. Is it really necessary?

Any thoughts?

Many thanks.

[therube]

Perhaps communication between the UI & the service?

I'm not seeing anything, at the moment at least, with Process Hacker.

[klugschwätzer]

Strange.

I'm on Version 1.3.3.658 (x64) btw.

I restarted the service. Jumped to 5000 B/s then decreased to about 1000 again.

[klugschwätzer]

Nobody?

I have deinstalled it as a precaution as this is unacceptable.

Sadly I'm not able to dig deep enough to understand what data are transmitted all the time.

[therube]

I assume you're running the service?

Disable the service, then run it without (you'll then need to "Run As Administrator") & see if your situation changes?


Maybe one of these small utilities can help point out to you what's going on, http://www.nirsoft.net/network_tools.html ?
(I don't really know such things, but perhaps NetworkTrafficView as a start?)

[klugschwätzer]

There is no traffic with the service disabled.

Mhhh.

Strange. What exactly is the traffic good for then?

[therube]

Wonder if an Antivirus or similar program might be affecting things?

[klugschwätzer]

Wonder if an Antivirus or similar program might be affecting things?

How could an antivirus software affect the process Everything.exe in said manner?


Am I really the only one that can reproduce this?

[daspud]

What are you using to see the network traffic? I can try to take a look and see if it is happening on my system.

[klugschwätzer]

With the service running look in the network listing in the Windows ressource monitor. http://en.wikipedia.org/wiki/Resource_Monitor

I turned the service back on again and the traffic is back again. It's on port 15485 which has something to do with the service, but also on port 49162.

[daspud]

I see the listening port, but no traffic. Sorry, but I don't know what it is for.

[klugschwätzer]

Strange.

Just a picture proof so that no one thinks I'm imagining things.

[mooms]

I think it is local traffic only.

If you use CurrPorts (from Nirsoft) or TCPView (from Sysinternals/Microsoft), you can see a lot of connections initiated by Everything, but they are on 127.0.0.1 (local machine).
Don't know why there is so much connections though. If you close Everything client, connections are closed.

[klugschwätzer]

You are right. Seems local. But why at all?

And why isn't everybody seeing this?

[raidsa]

"Capture the traffic and take a look" would be my first thought,

[void]

Everything uses the loopback adapter to communicate between the client and service.

Traffic over the loopback adapter is strictly local only.

You can confirm this by running a command prompt and typing:

Code: Select all

netstat -abn

You should see something like:

Code: Select all

 TCP    127.0.0.1:15485        0.0.0.0:0              LISTENING
[Everything.exe]
 TCP    127.0.0.1:15485        127.0.0.1:49185        ESTABLISHED
[Everything.exe]
 TCP    127.0.0.1:49185        127.0.0.1:15485        ESTABLISHED
[Everything.exe]

127.0.0.1 is the loopback adapter.

If you do not want Everything to use any local network traffic, the service can be disabled from Tools -> Options -> General.
However, you will need to run Everything as administrator if you wish to index NTFS volumes.