Sniffer for Windows That Shows Process ID?

Sniffer for Windows That Shows Process ID?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Sniffer for Windows That Shows Process ID? Will 10-10-2007
Posted by Will on October 10, 2007, 3:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Can someone recommend a sniffer for Windows that will show the process ID
and name of the process sending or receiving each packet shown in the
sniffer?

I normally use ethereal or wireshark and didn't see a straightforward way to
include this information.

--
Will



Posted by MowGreen [MVP] on October 10, 2007, 5:59 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
netstat for ports, not packets, though.

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each
connection or listening port. In some
cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient permissions.

-e Displays Ethernet statistics. This may be combined with
the -s option.

-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each
connection.

-p proto Shows connections for the protocol specified by proto;
proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of: IP,
IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

-r Displays the routing table.
-s Displays per-protocol statistics. By default,
statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and
UDPv6; the -p option may be used to specify a subset of the default.

-v When used in conjunction with -b, will display sequence
of components involved in creating the connection
listening port for all executables.

interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Will wrote:

> Can someone recommend a sniffer for Windows that will show the process ID
> and name of the process sending or receiving each packet shown in the
> sniffer?
>
> I normally use ethereal or wireshark and didn't see a straightforward way to
> include this information.
>

Posted by Will on October 10, 2007, 7:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Netstat is not a *historical* trace of packets. It's totally unsuitable
as a sniffer replacement.

If your application is to associate a listening port with a process, netstat
is handy and I use it.

If your application is to ask the question "who sent out these packets at
3:07p today to a particular destination on a particular port, netstat is the
wrong tool. A sniffer is the right tool.

Morever, if the packets are UDP, I seem to remember that netstat only shows
UDP listeners, not outgoing traffic. So even if I executed netstat at
precisely the right moment, I still wouldn't see outgoing UDP traffic of
interest.

--
Will


> netstat for ports, not packets, though.
>
> Displays protocol statistics and current TCP/IP network connections.
>
> NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]
>
> -a Displays all connections and listening ports.
> -b Displays the executable involved in creating each
> connection or listening port. In some cases well-known executables host
> multiple independent components, and in these cases the
> sequence of components involved in creating the connection
> or listening port is displayed. In this case the executable
> name is in [] at the bottom, on top is the component it called,
> and so forth until TCP/IP was reached. Note that this option
> can be time-consuming and will fail unless you have sufficient
> permissions.
>
> -e Displays Ethernet statistics. This may be combined with
> the -s option.
>
> -n Displays addresses and port numbers in numerical form.
> -o Displays the owning process ID associated with each
> connection.
>
> -p proto Shows connections for the protocol specified by proto;
> proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
> option to display per-protocol statistics, proto may be any of: IP, IPv6,
> ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
>
> -r Displays the routing table.
> -s Displays per-protocol statistics. By default, statistics
> are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p
> option may be used to specify a subset of the default.
>
> -v When used in conjunction with -b, will display sequence of
> components involved in creating the connection listening port for all
> executables.
>
> interval Redisplays selected statistics, pausing interval seconds
> between each display. Press CTRL+C to stop redisplaying
> statistics. If omitted, netstat will print the current
> configuration information once.
>
>
> MowGreen [MVP 2003-2008]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Will wrote:
>
>> Can someone recommend a sniffer for Windows that will show the process ID
>> and name of the process sending or receiving each packet shown in the
>> sniffer?
>>
>> I normally use ethereal or wireshark and didn't see a straightforward way
>> to include this information.
>>



Posted by S. Pidgorny on October 11, 2007, 4:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
G'day:

> Netstat is not a *historical* trace of packets. It's totally
> unsuitable as a sniffer replacement.
>
> If your application is to associate a listening port with a process,
> netstat is handy and I use it.
>
> If your application is to ask the question "who sent out these packets at
> 3:07p today to a particular destination on a particular port, netstat is
> the wrong tool. A sniffer is the right tool.

I usually run netstat -ano and in a loop and protocol analyser in parallel.
You can do both if you can schedule tasks for 3:07p...

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



Posted by jameshanley39@yahoo.co.uk on October 11, 2007, 9:16 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Will wrote:

> Can someone recommend a sniffer for Windows that will show the
> process ID and name of the process sending or receiving each packet
> shown in the sniffer?
>
> I normally use ethereal or wireshark and didn't see a straightforward
> way to include this information.


this is indeed a noble search ! I have looked for the same thing
myself.

netstat can see process id, but only offers a snapshot, it's
stateless, and as a result of it only doing a snapshot, it doesn't
record whether the packet is incoming or outgoing. And of course it's
only a snapshot style port status thing.

You said something like TCPView do what you want ""if you had the
patience of a saint?" But from what I remember, TCPView is not a packet
sniffer. You never see inside the packet.

I did find a port logger (software running on the machine of course,
it's necessary for this) that records process id , and whether the
packet is incoming or outgoing. But it's not a packet sniffer.
Sygate personal firewall, probably the last free version. Maybe
available from oldversion.com or elsewhere. You can turn off the
firewall feature leaving just the port logger. Though the last time i
installed it it crashed, maybe blocking outgoing , and so I removed it
and haven't tried it since.

Somebody should really write what you suggest. It'd be only a small
addition to Ethereal. Indeed, it's not purely a 'packet' thing, but in
a strict definition of packet, neither is TCP. TIME isn't a purely
packet thing either, by any definition, though ethereal displays it
alongside the packet. MS Word is popular because it draws pictures,
doesn't just allow the writing of words. I have to get into this silly
philosophical thing, since a post implied ethereal or a packet sniffer
*shouldn't* do it, so I think some people don't get it.

Somebody posted writing as if this was some personal problem Will has,
requesting they email in private (perhaps since he writes software and
sells it). OK. But It is not just his thing. It's as he described it.
A general thing.

I notice also xananews tried to set follow-up to
comp.dcom.net-management , so if anybody uses that, then be careful!

Similar ThreadsPosted
Is there a way to stop a process started by the SYSTEM user in windows? November 11, 2005, 8:05 pm
Looking for a IDS/Sniffer November 3, 2006, 1:16 pm
SSL Padlock shows then disappears September 21, 2005, 12:18 pm
Event log shows NTLM not Kerberos August 24, 2006, 3:00 am
Cain shows DefaultPassword in plain text December 11, 2006, 3:10 pm
Outlook shows incorrect S/MIME signature symbol February 21, 2006, 9:48 am
Event Viewer Security shows Guest logon? May 11, 2006, 8:54 pm
determine process space August 23, 2005, 11:48 am
Rename running process (can't) March 15, 2006, 4:39 pm
Process Policy Negotiation August 22, 2006, 10:44 am

The site map in XML format XML site map

Contact Us | Privacy Policy