Bob,
If the query is coming from a remote
machine, you should be able to run Wireshark on that system and see the source of
the original query to the DNS server. If that’s not the case and
the query is initiated from the local machine than I’m not sure. You
could try this tool from Sysinternals:
http://www.sysinternals.com/Utilities/TdiMon.html
That might help. You used to be able
to get a trial version of TCPViewPro from winternals.com but I don’t see
that option any more. That version is more powerful.
You can also run services.msc and try
stopping services or use Process Explorer and kill processes until you figure
out which one is the culprit. Short of that, I’m not sure what else
to tell you. I’m not much of a Windows internals expert. You
might want to try one of the Microsoft forums – some of them are very
helpful or look for articles by Mark Russinovich, the Windows Internals Guru
(and Author of the Sysinternals Tools).
Good luck,
--Jim
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bob Frottner
Sent: Saturday, October 28, 2006
4:05 PM
To: wireshark-users@wireshark.org
Subject: Re: [Wireshark-users] How
to find the application sending anamerequest?
Thanks James, that's great help!
I found out that - ok, I should have expected that - svchost (registering
dnscache.dll) is sending the DNS name query and getting the response "no
such name". But I still cannot figure out which application initiated the
DNS request, which application sits at the starting point for asking for the
unknown server. I suspect it is some service.
Thanks,
Bob
"Small, James" <[EMAIL PROTECTED]>
wrote:
One way to narrow it down would be to use Wireshark to identify the
source IP and port. So on that particular Windows box, you could then use
either netstat -ano (believe only 2003 and XP add the -o option) or you could
use fport from Foundstone:
http://www.foundstone.com/knowledge/proddesc/fport.html
These should let you map the source port to a particular process ID or
application/service. From there the best tool to use to look at processes is
probably Process Explorer on sysinternals.com: http://www.sysinternals.com/Utilities/ProcessExplorer.html
Alternatively you can use the Windows built in by pressing Control-Shift-Esc to
bring up Windows Task Manager and click on the Process Tab. However, process
explorer is much more thorough and powerful (and also free).
On the same site you can also check out TCPView that lets you view all
networking apps and the process IDs:
http://www.sysinternals.com/Utilities/TcpView.html
That's not perfect but it should give you a good start. If you still can't figure
it out after that try posting again with what you found so far.
--Jim
________________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bob Frottner
Sent: Saturday, October 28, 2006 3:11 PM
To: wireshark-users@wireshark.org
Subject: [Wireshark-users] How to find the application sending a namerequest?
Hi,
I have no experience in network analysis. However, there is a network problem
here and I think I have found it using Wireshark: Some Windows application or
service is sending name queries asking for a server which has been removed from
the net.
Now my question: How can I find out which application or service within windows
is sending those name queries? That must be trackable somehow but I have no
idea how...
It would be great if somebody could give me help on this!
Thanks,
Bob
________________________________________
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
Want to start your own business? Learn how on Yahoo!
Small Business.
