Public Reports
 Your Reports

Windows 10 Pro - Idle

Product: Windows 10 Pro 64-Bit with Anniversary Update
Platform: PC (in Hyper-V VM)
Hardening: Default / Express Settings
Scenario: Microsoft Account Connected User on Idle


Windows 10 Professional was installed using the installation media downloaded via Media Creation Tool, which was acquired from Microsoft website. It was installed on a VM managed by Hyper-V running on Windows 10 with Anniversary Update. During installation, "Express Settings" were chosen, but Cortana was not enabled. After installation, all updates (including Windows 10 Anniversary Update), were installed. After several reboots and confirming there are no more pending updates/reboots, machine was connected to Microsoft Account using a test user. No further settings were performed. Afterwards, machine was rebooted one last time and the connected user was logged on. Capture was performed on the host machine using latest available Wireshark tool.During the capture, machine was left untouched at idle.


Windows 10 aims to provide a rich user experience. Serving that goal, it is not shy to make as many connections as necessary to Internet. Using the default configuration and an empty connected user account (currently with no email, OneDrive documents, etc.), Windows made connections to 14 different countries, to which it sent more than 16 MB of data. What is a little surprising is that there were a high number of distinct destination addresses. Endpoints were related to telemetry, software updates, licensing, certificate management, applications and their infrastructure for push notifications, OneDrive and some traffic we weren't able to identify with high confidence. However, we haven't noticed any red flags in this configuration. Please keep in mind that this is a professional product in its default, consumer oriented configuration. However, Windows 10 is highly customizable thanks to a variety of configuration options and it can be hardened quite a bit. We will soon test a fully hardened Windows 10 system. Hopefully, results will be inline with what can be expected from a zero exhaust machine, making it suitable for high sensitivity use.


 Duration of Capture
 Start Date
 Stop Data
 Packets to Internet
 Bytes to Internet
 Total Countries

Network Activities Number of packets and size in kilobytes

Below chart plots total kilobytes sent to public Internet addresses over the entire capture time. Each data point is broken by networking protocol, such as HTTP or FTP.

Although DNS queries are quite common, depending on your network topology, you may not see DNS in below list. The probable reason for that is because you use an internal DNS server. Some companies may prefer using their own DNS servers because of extra flexibility it gives. In case of home users, it is very common that your Internet router is being used as the DNS server of your computer. Since in both cases the DNS server is within your own network, DNS queries to them will not be reported as traffic going to Internet.

There are two fundamental reasons

1. In order to send correct and relavent data, servers must know clients' configuration. For example, to provide the updates that your computer needs, update servers will need to know version of your product, as well as your hardware configuration.

2. Before downloading data, client and server will exchange specifics of the transfer. For example, at the beginning of the communication, client and server will establish a transmission channel by exchanging their respective sequence numbers. Additionally, communications over a secure channel requires the collaboration of the client. For example, client sends the encryption protocols it supports, or whether or not it agrees to the options provided by the server. Also, certain communication protocols like TCP require client to acknowledge receipt of data sent by server so that server knows whether or not it needs to retransmit the data. Although these so-called ACK (for acknowledgement) are small in size, they are frequent, adding up to total traffic that is sent to the server.

Transmission Control Protocol (TCP) is the underlying tranmission protocol for most Internet bound packets. TCP is usually used as a transport control mechanism for higher level protocols (e.g. HTTP or FTP). We only report TCP if no higher level protocol was detected.

User Datagram Protocol (UDP), similar to TCP, is another fundamental tranmission protocol. UDP is usually used as a transport control mechanism for higher level protocols (e.g. DNS). We only report UDP if no higher level protocol was detected.

Hypertext Transfer Protocol (HTTP) is the backbone of web traffic. Please keep in mind that although HTTP is best known for transferring data back and forth from web sites, it is commonly used as a general purpose transfer mechanism when accessing web services (e.g. weather data, checking and downloading updates, anti-virus definition downloads)

Network Time Protocol (NTP) helps keeping your computers time in sync with highly accurate atomic clocks.

File Transfer Protocol (FTP) is used for transferring files. It is commonly used for downloading updates.

Domain Name System (DNS) is used for resolving names (e.g. to their IP addresses (

Please refer to Understanding Computer Networks for a more detailed explanation of how computer networks work and what the different types of packages do.

Hosts and Protocols Number of packets and size in bytes

Below tables list where your traffic goes and what kind of networking protocols are being used. What makes Traffic Hound based reports unique is the highly accurate hostname informations. Most other tools either do a reverse-DNS lookup (which is bad because IP assignments change frequently and a reverse lookup may yield stale information) or only a superficial analysis of DNS packets captured earlier (which only gives CDN locations like instead of the intended destination) Traffic Hound performs a deep analysis of DNS traffic, extracts CNAME records so that intended destination names can be reported.

Moreover, Traffic Hound extracts IPv6 over IPv4 Teredo tunnels, so that real protocol information can be captured instead of the default UDP for all tunnelled IPv6 traffic.

% Total
% Vote
Protocol Total
% Total

Traffic location geo-presentation

IP address geo-location is based on heuristics. Geo-location providers use a number of databases. A primary source for IP address data is the Regional Internet Registries. These are large, official organizations responsible for managing and distributing IP addresses in specific regions of the world. However there are other sources that is employed, some of these being trade secrets of providers. Although some of these databases are high confidence, sometimes location resolutio may need to employ less accurate, low confidence resources.

We use industry standard IP Geo-Location service to resolve location information. It is one of the most respected service providers in this field. We frequently compare their results with competitors to ensure their accuracy.

Below table outlines number of outgoing packets and bytes to each country.

Country Total Packets % Total Bytes %


Below data can dynamically be filtered by clicking on regions in the map above.

To (Geo Location) To (Host Name) To (IP) Protocol Total Bytes

Comments? Questions?

We want to hear from you, please let us know if you have any comments or questions