We have an acl in out routers to not let anything go to certain Chinese IP blocks. We feel that the blocked rang of IP addresses are up to no good. OK so one of the admins looks in the router and sees that 3 computers are trying to get to the addresses. They are sending syn requests and since the ip is being blocked in the router noting happens. Another admin creates a vlan so we can mimic the server and I use the WHAX security disk to run a webserver and ethereal to see what is happening. It looks like it might be spyware but I am not sure. We run Symantec client security on the clients but the logs only tell me that the connection was created from the client to the webserver.

Here is my question; I want to know what program on the server is sending the offending requests. Is there any software on the internet for windows that will capture when a program opens a soc and log that information. I want to log when a connections is made on the client and what is creating the connections.

Thanks
-GA