Windows 10 and telemetry: Time for a simple network analysis

Looking at the right data is the only way to understand what Windows 10 is really doing.
Written by Simon Bisson, Contributor

There's been a lot of discussion recently about the telemetry data that Windows sends back to Microsoft. There's also been a lot of bad data out there, data that can make it easy to draw some of the wrong conclusions.

When you need data, it pays to use the right tools. And when it comes to network traffic analysis, one of the best tools around is the free Wireshark. Using the WinPcap network drivers, it lets you see every packet that runs through a network adapter - including IPv6 traffic.

So if we're to get a picture of what data is being sent from a Windows 10 PC to Microsoft's telemetry servers and how frequently, it was the tool I turned to. In order to capture a basic working set of network traffic data, I installed it on a Surface Pro 3 running the current main branch build of Windows 10 Pro. I could use the standard WinPcap drivers, as I was using a docking station - a set of USB WinPcap drivers are available if you're using a USB network card.

My network is relatively simple: a VDSL FTTC broadband router drops into a gigabit switch, with a mix of domain-joined and workgroup PCs, servers, and notebooks using both wired and wireless connections. That meant much of the traffic would be internal network operations, and I'd need to filter it out from my results. I also shut down as many services and applications as possible; so that I wouldn't drown out any telemetry HTTPS connections using my browser and other Internet and cloud applications. I left Windows 10's core functions running, including OneDrive and Windows Defender.

In order to get a baseline set of readings, I ran Wireshark initially for around 30 minutes, capturing over 130,000 network transactions. Of those, only 27 were to Microsoft's watson and telecommand servers at telemetry.microsoft.com.nsatc.net. Wireshark is able to calculate reverse DNS names for the IP addresses tracked at your network card, with source and destination information and details of the protocols used.


Wireshark in action, monitoring connections from a Surface Pro 3.

You're also able to see the contents of any data delivered to a server, though in the case of Microsoft's Windows 10 telemetry this is encrypted using TLS v1.2, and so there's no way of actually seeing the content of a telemetry packet. However, as the average packet size is just over 3KB, it's clear that when you take into account the encryption overhead very little data is being sent to Microsoft.


Examining an encrypted telemetry packet in Wireshark.

Once my initial test run was complete, I exported data from Wireshark to Excel and applied various filters. With around 98KB of telemetry data, much of the rest of the traffic to Microsoft was to its badly-named spyneteurope service, its SmartScreen servers used as part of the Windows Defender anti-spyware and anti-malware package. Another 72 packets, accounting for 160KB of data was used by the Windows licensing service; handling OS authorisation and Windows Store apps.

Data sent to Microsoft accounted for a small proportion of the 14600 packets and around 5MB of data passing through the network card of a relatively quiescent machine. Most of the data on my network was local file transfers and network announcements - it's amazing just how chatty a router can be, and how often a switch updates its spanning tree, and that's before we get into just how much data two parallel Windows networks need to run.


Using Excel to filter and analyse Wireshark data.

A second, much longer test, recorded all the data on the same PC over a 12-hour period. Here I captured around 230000 packets, and around 12MB of data. Of those just 1134 packets were delivering any data to Microsoft, containing around 1.3MB of data. Filtering out instant messaging packets from Skype, email from Outlook.com and Office 365, and I was left with under 900 packets and less than 1MB of data. A lot of the data remaining is authentications against my Microsoft account, and sync checks for OneDrive and for my synchronised device settings.

Now that was a machine that was left running overnight, and so won't capture all the data that might be sent by a machine in day-to-day use. But as an initial exercise it shows that Windows 10's telemetry is not sending vast amounts of your personal data - it's sending small snippets of information and that to a set of servers with names and IP addresses that can easily be blacklisted at a router if you really want to keep your network traffic private.

I deliberately chose a consumer SKU of Windows 10 for this exercise, as it's a version that will send the most possible data to Microsoft. Windows 10 Enterprise is able to control much more of what telemetry data is sent back, and most Enterprise installs won't be using personal Microsoft accounts and the consumer OneDrive-based servers.

So what did I learn?

With free tools and a spreadsheet, it's easy to get a clear picture of what network traffic is going through a machine. Based on my tests, Windows 10 certainly is receiving telemetry data from my PC, but we knew that already.

It's also easy to counter the FUD in some reports. In one hour there were only 751 packets sent to any Microsoft address (including any Azure, Skype or Akamai CDN edge server), for around 222KB of data. Of those packets only 182 contained data, with 134KB transferred to Microsoft. In two hours there were only 1586 packets, with 382 containing data, and 262KB of data transferred.

That means for a PC with a standard load, logged into a Microsoft account and using Windows 10's messaging service, we're sending around 190 packets per hour to Microsoft servers, and around 130KB of data per hour.

Compared to all the traffic through my test PC's network card, it's only a small proportion of the total network traffic, and it's certainly not the many thousands of network packets that some have reported. When you think about it, that makes sense. Microsoft is aiming to have a billion machines running Windows 10 by sometime in 2018. If they're all delivering several megabytes of telemetry every day, that's millions of terabytes of data to store and analyse - a big data problem that's going to be extremely expensive to solve.

Without unencrypting the telemetry packets Microsoft receives, we're not going to know exactly what data it receives. But they're small and relatively infrequent, so are unlikely to be packed with your personal data. It'll be interesting to repeat these tests using a Windows 10 Enterprise system, with maximum telemetry blocking.

These are, sadly, justifiably paranoid times. The government is taking as much data as it wants, and social networks own much of our personal data as they can. But when it comes to our PCs, it's hard to separate a modern PC from the cloud services it uses; from email to storage to application licensing to updates and beyond. That means it's also hard to understand what each network packet it sends is doing.

Getting that understanding means a lot of work, capturing and filtering and analysing data. But once you've done that work, it looks as though Microsoft is doing just what it says: taking the data it needs to improve PC applications and services.

Read more

Editorial standards