Could someone take a look at this log of my active connections. I was using Firefox when it suddenly became very slow to connect. When I looked at the Traffic icon in the main interface it stated that svchost was using 97% and Firefox 3%. I then opened my active connections log and found the following entry for svchost in the log file below. Can anyone explain if this is normal behaviour or what I should do. I have svchost.exe set to outgoing only in the rules. Ports 67 & 68 were to do with DHCP and used to allow my ISP to renew my Ip address. I have a rule set to allow this traffic as my first rule in Global Rules. Why is svchost using this port set?.
Is this behaviour consistent? I mean does it happen each time and constantly when using FF? Does it stop when FF stops? The reason I ask is that svchost serves many masters.
Hi thanks for the replies. I have no router just a single home PC with a fast ethernet cable modem connection. Prior to today I have never seen this particular entry before. I have several svchost entries as you can see from the log but they have always been just listening previously. I had a Comodo update yesterday so don’t know if that has to do with it. When I am not online like earlier this evening it says 100% svchost and just now when I took the screenshot in this post as you can see it is 98.9% svchost and 1.1% Firefox. It varies up and down but I don’t understand the UDP listing and what is it transferring out and in?. Appreciate any help with this.
I can’t say this to be certain but I assume that the Traffic information in the main screen is accumulative of nature. So if something is being watched longer it will grossly speaking get a bigger percentage or. So, if svchost was very active before you fired up FF it may take a while to even out.
Thanks again for your reply EricJH,
It doesn’t seem to have slowed my internet connection. It is just that I have never seen that particular entry with actual traffic in and out and the UDP listing, all my other svchost are TCP and listening without ever connecting to anything as far as I know. Is it normal behaviour and is it safe enough to leave it as it is?.
The behaviour you are seeing in the first screen shot is generally perfectly normal. I have one question, however. When this screen shot was taken, had you just restarted your PC or reconnected to the Internet?
The reason for my question is this. Typically one would see this specific configuration in one of the two situations mentioned above. Your client does not yet have an IP address and doesn’t know where to get one. So It starts off with an address of 0.0.0.0 and used a muticast 255.255.255.255 to find a DHCP server.
After you obtain an address, your client periodically checks with a DHCP server to make sure the address it has is sill ok to use. In this situation (a DHCP Renewal) it would be more common to see specific IP Addresses as opposed to the generic ones in your screen shot.
As for why the slowdown occurred, its possible (and may also explain the screen shot) that you had a very temporary outage, maybe your ISP was busy right at the second svchost decided to check on it’s DHCP settings…
The second screen shot only shows 2 outbound connections, firefox and svchost. I assume that fx was doing very little at the time, but svchost was busy doing the things svchost does. hence the greater percentage of activity being shown for that process.
Thanks for the reply Quill,
Yes, you are correct, I had just signed into my account a few minutes prior to taking screen shot and posting. It was just that for some reason yesterday it didn’t change after a while to Firefox having the highest percentage and svchost the least. As you say this usually happens the longer you are on line. The temporary slowdown was I am sure a co-incidence as this event hasn’t interfered any more apart from the time prior to my first post. This morning when I was on the PC between 9-11am it was the same as the last screen shot but when I signed in again this afternoon about 10 mins ago my traffic screen is showing a more normal info image. I just wanted to make sure it was normal activity and as long as I know that it is I won’t bother about it. I worried if somehow svchost had been compromised in some way although my AV and Anti-spyware scans tell me my PC is clean.