Wireshark has been around for years, but with win7 onwards they have removed the ability to monitor anything other than (basically) ethernet or wifi packets. Stuff like DUN, GPRS or 3G cannot be logged and that includes anything connected over bluetooth PPP.
I am still trying to find out why the Lenovo win8 tablet downloads a few hundred k when one goes online. It messes up the satphone connection pretty well.
A firewall is not a practical answer in this case (AFAICS) because the weather website one goes to can invoke other URLs, so one would have to enable their individual IPs also, and these could change anytime.
It would rather prefer to find out which process is causing this. It isn’t IE10 itself because I have seen the problem without launching any app at all. Just going online is enough.
Edit: I found something in the win8 Perf Monitor. The data is caused by processes like this
It occurs to me that none of this crap should even be trying to go out on the internet!
What I can’t see is the name of the process. If I had that, I could block it in the firewall, by the app name – just like one blocks apps which covertly go online for naughty purposes.
A firewall is not a practical answer in this case (AFAICS) because the weather website one goes to can invoke other URLs, so one would have to enable their individual IPs also, and these could change anytime.
Connecting a PC to a satphone without a firewall limiting the traffic will never work well. And for this particular reason I have designed my weather site to handle all traffic through a single connection, no pointers to external sites.
If it’s not the browser couldn’t you configure the browser to connect to a proxy and block all connections other than to the proxy?
Now if only you had a server somewhere which could run a Web proxy…..
Sure could…
However I would like to run some other progs too e.g. email. But yes I suppose those could be specifically permitted.
I am getting there. It is svchost.exe but blocking that doesn’t stop it, so it is some process which that is launching, PID 1424. I don’t see one can set a firewall rule just for PID 1424 however.
Achim – I wonder if your earlier report of Thuraya’s GPRS service not working for the first minute or two was exactly this problem. If I let the tablet download 100-300kbytes, then it goes quiet and everything works fine 
WUDFHost.exe was a big user of data, over remote connections. I blocked it, but svchost.exe remains.
Update:
I have solved the issue pretty well, with the following firewall outbound rules:
Block 255.255.255.255 (broadcast) on remote access connections
Block java.exe (blocks java auto updates, which cannot be disabled in win8)
Block port 5852 (adeona tracking app – the actual app is nowhere to be found on the machine!)
Block spoolsv.exe on remote access connections
Block trueimage monitor (dirty covert activity there)
Block wudfhost.exe
There is still stuff under process ID 1424 but I can’t find which process that is.
It leaves some little bits which transfer about 5k bytes total (up+down) but that is only 5 secs even on the slowest Thuraya satphone connection.
And by removing Bing from IE, which is not possible unless you first install another search engine, and then the Delete option appears on Bing. It is an outrageously dishonest thing by Micro$oft that Bing covertly transfers many kilobytes even when absolutely every option in IE (IE10 in my case) and every add-on and every plug-in have been disabled. I was tempted to install FF or Chrome but there is no assurance that they won’t do the same thing.
The more basic point to note here is that with Thuraya you can get away with a few k being transferred spuriously, when the connection initially opens. With Iridium, those 5k, plus a few more k for even a compact wx site, would be a much bigger problem, so one has to go for a dedicated solution which doesn’t use a browser of any kind.
Instead of blocking certain things that you know to cause traffic, it would be much easier and better to block everything and only allow what you want. Then you turn on the firewall before you establish your sat connection and turn it off afterwards.
The moment you go airborne with your setup, another process will start transferring data which you haven’t discovered yet.
Logically you are right, but I suspect I have found the main culprits.
I have done a lot of testing today. Fortunately the spurious data is the same on connections which don’t cost me any money to run (e.g. bluetooth to Nokia 3G contract, or the built-in T-M 3G at £1/day) which made it a lot more efficient to test stuff. But having just checked the account balance I still spent $140 on Thuraya’s airtime debugging and re-checking it!
As you know I have two private wx sites. One of them delivers tafs/metars within seconds, but some of the data comes from some other URLs. The other is a lot more efficient but when it’s cache needs refreshing (which happens to me much of the time, and highly likely always the 1st time I use it after some time) it does nothing for 1-2 minutes with no indication of whether the GO button has done anything, etc.
What I have now is also usable for other stuff e.g. email.
Unless one finds a means of enabling/disabling firewall rules using easy buttons, it’s actually quite a lot of work going in there each time and changing the firewall rules.
WinXP didn’t have these stupid issues. This is Micro$oft win8-bloat. Had I been able to put XP on the tablet I would have done
Apparently win7 is just as bad when it comes to spurious traffic.
But IOS does the same so there is no free lunch (though I would hope there are no “covert” large downloads). This issue is going to have to be solved one way or another no matter what the client device is.
Unless one finds a means of enabling/disabling firewall rules using easy buttons, it’s actually quite a lot of work going in there each time and changing the firewall rules.
The Windows 8 firewall supports multiple profiles and you can switch between them with one (or two?) clicks.
WinXP didn’t have these stupid issues.
Neither did MS-DOS 1.0 I think Windows 8.1 is the best Windows ever but personally I only use Windows when I get paid for it which still happens quite frequently unfortunately.
But IOS does the same so there is no free lunch (though I would hope there are no “covert” large downloads). This issue is going to have to be solved one way or another no matter what the client device is.
I noticed iOS downloads important updates (such as the recent SSL fix) without asking, in the background. Also it has a generic message polling system that applications use to notify you which causes unnoticed traffic.
I wouldn’t use your positive identification and blocking approach but instead block everything but a few specific exceptions. You will never identify everything. Some stuff only goes off once a week or so (e.g. Adobe update checker) and it is guaranteed to happen when you’re in IMC approaching an embedded CB and trying to get a picture off Thuraya.
I wonder if your earlier report of Thuraya’s GPRS service not working for the first minute or two was exactly this problem. If I let the tablet download 100-300kbytes, then it goes quiet and everything works fine
It just tends to not transmit anything for some time, GmPRS appears to need some warming up but with a good setup with a firewall, you can start it on the ground and keep it going for the whole flight and it won’t cost you anything at all.
Adobe update checker
Yes – I don’t have any Adobe software on this machine. It is now just win8 and some apps. The apps can be blocked in the firewall if necessary.
