so ive been playing with process monitor lately and its a pretty nifty tool http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
it logs everything that's going on in windows. I'm not familiar enough with windows internals to know at what layer this operates at, but one particular kind of log entry would interest you. any time a connection is made it logs the process, and the src/dest ip and src/dest ports. you could run a packet capture and link each packet with the process that generated it. carbon black is another tool i've been messing with, and it also links network connections to the originating process, and presents the data better than process monitor. i don't see any easy solution for this problem but it looks like there's some sort of event stream within windows that you can hook into to provide the connection <-> process info, then you'll have to correlate it with your packet capture. On Tue, Mar 12, 2013 at 1:03 AM, Sherif El-Deeb <[email protected]>wrote: > Wow! ephemeral ports! that was quick and dirty :) > > The downside of your approach is that: > 1) it is "ephemeral port" based, not "process based" ... allow me to > demonstrate: > - iexplorer.exe communicated to google.com:80 using "ephemeral > port:12345", got what it was looking for, connection FIN, 12345 > traffic does not belong to iexplorer.exe anymore... another process > runs ... and used 12345, we have a problem "I know this is a low > possibility, and I know that I may pair the process:port pair as the > filename to avoid confusion, but I hope you got my point". > > 2) we have to keep an infinite loop running to iterate through > "netstat" and parse results, then start tcpdump for each new ephemeral > port "one process may be communicating to many hosts", then keep track > of the spawned tcpdump(s) so they may be killed when the > "communicating-process-specific-ephemeral-port" ends communications, > this is guaranteed to kill all the cores the box has "it's not only > the loop", and will *surely* miss lots of stuff since the loop might > not be quick enough, needless to say that mergecap-ing is going to be > messy. > > 3) Fire-and-forget outbound UDP traffic? > > I'm glad you had fun ;) I definitely appreciated your idea of > utilizing ephemeral ports "thank you", but I will keep looking for > something "truly" process oriented that is guaranteed to not miss > anything "I don't mind 100% CPU". > > Regards, > Sherif. > > On Tue, Mar 12, 2013 at 7:18 AM, Hans Kokx <[email protected]> > wrote: > > This sounded like an interesting challenge, so I whipped something > together > > that seems to work. Maybe it's what you're looking for, or maybe not. > > > > So, the idea I came up with is relatively simple: each process is going > to > > open an ephemeral port to connect to the known port of the service. > Let's > > take, for example, a simple SOCKS5 proxy I've tossed together over SSH: > > > > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & > > > > I typically use this everywhere that's not at home, and push ALL my > traffic > > through it. Hey, security. > > > > Anywho, on my mac, I was able to find the ephemeral port that it was > using: > > > > $ netstat -ntl|grep 192.168.1.5|grep 22 > > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 > > ESTABLISHED > > > > Now we've got an ephemeral port to work with. Some clever awk- and sed- > foo > > and you can grab JUST that port. > > > > Capturing the traffic is simple enough…. > > > > $ tcpdump src port 61697 > > > > So, we've got the traffic for this individual socket, but who does it > belong > > to? > > > > $ sudo lsof -i 4tcp:61697 > > Password: > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP > > 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) > > > > There's your pid and process name. > > > > This was fun. Thanks for the challenge. :) > > -- > > Hans Kokx > > > > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: > > > > I have been trying to figure out a way to "capture/filter" network > > traffic per process, not per host/interface in a windows environment > > "even though I'd be curious to know how that could be done in *n?x/OS > > X" . > > > > What I want to achieve is create a PCAP file for each process id that > > was executed and communicated over the network. > > > > help, please. > > Thanks and regards, > > > > Sherif. > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
