Sniffer for Windows That Shows Process ID?

Sniffer for Windows That Shows Process ID?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Sniffer for Windows That Shows Process ID? Will 10-10-2007
Posted by Will on October 10, 2007, 3:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Can someone recommend a sniffer for Windows that will show the process ID
and name of the process sending or receiving each packet shown in the
sniffer?

I normally use ethereal or wireshark and didn't see a straightforward way to
include this information.

--
Will



Posted by User on October 10, 2007, 8:16 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:

>Can someone recommend a sniffer for Windows that will show the process ID
>and name of the process sending or receiving each packet shown in the
>sniffer?
>
>I normally use ethereal or wireshark and didn't see a straightforward way to
>include this information.


A 'true' sniffer is runs at the kernel level, hooking into the network
stack. Therefore, it has no concept of which process is involved with
the actual network traffic.

Your best bet would be something like TCPVIEW ... used to be
www.sysinternals.com (now actually redirected to MS$). It will show
what process (and process id) is using any particular port at any
given time.

Posted by Will on October 10, 2007, 8:38 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> wrote:
>
>>Can someone recommend a sniffer for Windows that will show the process ID
>>and name of the process sending or receiving each packet shown in the
>>sniffer?
>>
>>I normally use ethereal or wireshark and didn't see a straightforward way
>>to
>>include this information.
>
> A 'true' sniffer is runs at the kernel level, hooking into the network
> stack. Therefore, it has no concept of which process is involved with
> the actual network traffic.

I understand this, and that's why it's a tougher problem to solve and why I
am willing to pay some money for it. I guess that a sniffer running as
SYSTEM could be simultaneously parsing OS data structures related to
applications and network use, and simultaneously looking at raw packet data,
and then cross referencing them when that is possible. In some cases that
might give an ambiguous result, and in other cases it would surely be
possible to uniquely associate a pattern of network traffic with a process.
It's surely not perfect, but particularly for getting a historical record of
outgoing UDP traffic, I will take what I can get.


> Your best bet would be something like TCPVIEW ... used to be
> www.sysinternals.com (now actually redirected to MS$). It will show
> what process (and process id) is using any particular port at any
> given time.

That's a great tool for seeing listeners associated with processes. But
that's the low hanging fruit that even simple command line tools like
netstat give you. Unless you have the patience of a saint and don't mind
staring intently at the TCPView's windows for hours at a time, you probably
aren't going to see the process that sends UDP packets for 20 seconds once
every six hours. Those are exactly the forensics situations where I want
the capability I am asking for.

If you know of a way to set a "trap" in TCPView or a similar application
that can be conditional like "any application sending traffic to target IP X
on UDP port Y, that would also be a great tool to find.

--
Will



Posted by Patrick Klos on October 10, 2007, 10:32 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>I understand this, and that's why it's a tougher problem to solve and why I
>am willing to pay some money for it.

Why don't you provide a real email address so we could take this offline?

>That's a great tool for seeing listeners associated with processes. But
>that's the low hanging fruit that even simple command line tools like
>netstat give you. Unless you have the patience of a saint and don't mind
>staring intently at the TCPView's windows for hours at a time, you probably
>aren't going to see the process that sends UDP packets for 20 seconds once
>every six hours.

What exactly are in these UDP packets? Maybe that info would give a huge
clue as to which service or application is sending them?

>Those are exactly the forensics situations where I want
>the capability I am asking for.
>
>If you know of a way to set a "trap" in TCPView or a similar application
>that can be conditional like "any application sending traffic to target IP X
>on UDP port Y, that would also be a great tool to find.

If the app in question sends packets repeatedly for 20 seconds, then a filter
in Wireshark (or your favorite sniffer) that shows the packet will give you
the time to run netstat as soon as the packet shows up. Patience is part of
the game in network forensics (as in most detective work). :o)

Patrick
========= For LAN/WAN Protocol Analysis, check out PacketView Pro! =========
Patrick Klos Email: patrick@klos.com
Klos Technologies, Inc. Web: http://www.klos.com/
============================================================================

Posted by goarilla on October 11, 2007, 5:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
User wrote:
> wrote:
>
>> Can someone recommend a sniffer for Windows that will show the process ID
>> and name of the process sending or receiving each packet shown in the
>> sniffer?
>>
>> I normally use ethereal or wireshark and didn't see a straightforward way to
>> include this information.
>
>
> A 'true' sniffer is runs at the kernel level, hooking into the network
> stack. Therefore, it has no concept of which process is involved with
> the actual network traffic.
>
> Your best bet would be something like TCPVIEW ... used to be
> www.sysinternals.com (now actually redirected to MS$). It will show
> what process (and process id) is using any particular port at any
> given time.
what's wrong with netstat ?
i think netstat -a -o will show all connections and their PID (not
processname)
tasklist can show you PID and processname of running tasks

Similar ThreadsPosted
What is Generic Host Process for Win32 Services with the file name/path C:\WINDOWS\system32\svchost.exe and does it need server permission to work properly? October 23, 2006, 6:07 pm
IE shows ".url" extension!. January 17, 2006, 1:32 pm
Firewall shows ports being used in sqeuence December 5, 2005, 9:28 am
Re: Firewall shows ports being used in sqeuence December 5, 2005, 9:57 am
Re: Firewall shows ports being used in sqeuence December 5, 2005, 3:25 pm
Router log shows port 1026 activity? May 8, 2006, 12:46 pm
HeadphoneTV.com - Best in StreamingTV! 27000+ episodes of your favorite shows without Downloading! December 2, 2006, 11:49 pm
Zonealarm and sniffer tools December 16, 2006, 5:59 am
Anyone knows the Blueye layer 7 sniffer? February 15, 2008, 5:01 am
Re: Likelihood of IT using a Packet Sniffer August 11, 2008, 5:24 pm

The site map in XML format XML site map

Contact Us | Privacy Policy