In windows you can use http://www.microsoft.com/en-us/download/details.aspx?id=4865 to look at traffic by process on a *nix system i do not know of a tool that allows it Sent from my iPhone
On Mar 12, 2013, at 3:53 AM, allison nixon <[email protected]> wrote: > so ive been playing with process monitor lately and its a pretty nifty tool > http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx > > it logs everything that's going on in windows. I'm not familiar enough with > windows internals to know at what layer this operates at, but one particular > kind of log entry would interest you. any time a connection is made it logs > the process, and the src/dest ip and src/dest ports. you could run a packet > capture and link each packet with the process that generated it. carbon > black is another tool i've been messing with, and it also links network > connections to the originating process, and presents the data better than > process monitor. > > i don't see any easy solution for this problem but it looks like there's some > sort of event stream within windows that you can hook into to provide the > connection <-> process info, then you'll have to correlate it with your > packet capture. > > On Tue, Mar 12, 2013 at 1:03 AM, Sherif El-Deeb <[email protected]> wrote: >> Wow! ephemeral ports! that was quick and dirty :) >> >> The downside of your approach is that: >> 1) it is "ephemeral port" based, not "process based" ... allow me to >> demonstrate: >> - iexplorer.exe communicated to google.com:80 using "ephemeral >> port:12345", got what it was looking for, connection FIN, 12345 >> traffic does not belong to iexplorer.exe anymore... another process >> runs ... and used 12345, we have a problem "I know this is a low >> possibility, and I know that I may pair the process:port pair as the >> filename to avoid confusion, but I hope you got my point". >> >> 2) we have to keep an infinite loop running to iterate through >> "netstat" and parse results, then start tcpdump for each new ephemeral >> port "one process may be communicating to many hosts", then keep track >> of the spawned tcpdump(s) so they may be killed when the >> "communicating-process-specific-ephemeral-port" ends communications, >> this is guaranteed to kill all the cores the box has "it's not only >> the loop", and will *surely* miss lots of stuff since the loop might >> not be quick enough, needless to say that mergecap-ing is going to be >> messy. >> >> 3) Fire-and-forget outbound UDP traffic? >> >> I'm glad you had fun ;) I definitely appreciated your idea of >> utilizing ephemeral ports "thank you", but I will keep looking for >> something "truly" process oriented that is guaranteed to not miss >> anything "I don't mind 100% CPU". >> >> Regards, >> Sherif. >> >> On Tue, Mar 12, 2013 at 7:18 AM, Hans Kokx <[email protected]> wrote: >> > This sounded like an interesting challenge, so I whipped something together >> > that seems to work. Maybe it's what you're looking for, or maybe not. >> > >> > So, the idea I came up with is relatively simple: each process is going to >> > open an ephemeral port to connect to the known port of the service. Let's >> > take, for example, a simple SOCKS5 proxy I've tossed together over SSH: >> > >> > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & >> > >> > I typically use this everywhere that's not at home, and push ALL my traffic >> > through it. Hey, security. >> > >> > Anywho, on my mac, I was able to find the ephemeral port that it was using: >> > >> > $ netstat -ntl|grep 192.168.1.5|grep 22 >> > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 >> > ESTABLISHED >> > >> > Now we've got an ephemeral port to work with. Some clever awk- and sed- >> > foo >> > and you can grab JUST that port. >> > >> > Capturing the traffic is simple enough…. >> > >> > $ tcpdump src port 61697 >> > >> > So, we've got the traffic for this individual socket, but who does it >> > belong >> > to? >> > >> > $ sudo lsof -i 4tcp:61697 >> > Password: >> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP >> > 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) >> > >> > There's your pid and process name. >> > >> > This was fun. Thanks for the challenge. :) >> > -- >> > Hans Kokx >> > >> > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: >> > >> > I have been trying to figure out a way to "capture/filter" network >> > traffic per process, not per host/interface in a windows environment >> > "even though I'd be curious to know how that could be done in *n?x/OS >> > X" . >> > >> > What I want to achieve is create a PCAP file for each process id that >> > was executed and communicated over the network. >> > >> > help, please. >> > Thanks and regards, >> > >> > Sherif. >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
