PaulDotCom mailing list archives
Re: PCAP file "per-running-process"
From: allison nixon <elsakoo () gmail com>
Date: Tue, 12 Mar 2013 03:53:50 -0400
so ive been playing with process monitor lately and its a pretty nifty tool http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx it logs everything that's going on in windows. I'm not familiar enough with windows internals to know at what layer this operates at, but one particular kind of log entry would interest you. any time a connection is made it logs the process, and the src/dest ip and src/dest ports. you could run a packet capture and link each packet with the process that generated it. carbon black is another tool i've been messing with, and it also links network connections to the originating process, and presents the data better than process monitor. i don't see any easy solution for this problem but it looks like there's some sort of event stream within windows that you can hook into to provide the connection <-> process info, then you'll have to correlate it with your packet capture. On Tue, Mar 12, 2013 at 1:03 AM, Sherif El-Deeb <archeldeeb () gmail com>wrote:
Wow! ephemeral ports! that was quick and dirty :) The downside of your approach is that: 1) it is "ephemeral port" based, not "process based" ... allow me to demonstrate: - iexplorer.exe communicated to google.com:80 using "ephemeral port:12345", got what it was looking for, connection FIN, 12345 traffic does not belong to iexplorer.exe anymore... another process runs ... and used 12345, we have a problem "I know this is a low possibility, and I know that I may pair the process:port pair as the filename to avoid confusion, but I hope you got my point". 2) we have to keep an infinite loop running to iterate through "netstat" and parse results, then start tcpdump for each new ephemeral port "one process may be communicating to many hosts", then keep track of the spawned tcpdump(s) so they may be killed when the "communicating-process-specific-ephemeral-port" ends communications, this is guaranteed to kill all the cores the box has "it's not only the loop", and will *surely* miss lots of stuff since the loop might not be quick enough, needless to say that mergecap-ing is going to be messy. 3) Fire-and-forget outbound UDP traffic? I'm glad you had fun ;) I definitely appreciated your idea of utilizing ephemeral ports "thank you", but I will keep looking for something "truly" process oriented that is guaranteed to not miss anything "I don't mind 100% CPU". Regards, Sherif. On Tue, Mar 12, 2013 at 7:18 AM, Hans Kokx <skipmeister123 () gmail com> wrote:This sounded like an interesting challenge, so I whipped somethingtogetherthat seems to work. Maybe it's what you're looking for, or maybe not. So, the idea I came up with is relatively simple: each process is goingtoopen an ephemeral port to connect to the known port of the service.Let'stake, for example, a simple SOCKS5 proxy I've tossed together over SSH: nohup ssh -D 8000 -C -N me () myhost com >/dev/null 2>&1 & I typically use this everywhere that's not at home, and push ALL mytrafficthrough it. Hey, security. Anywho, on my mac, I was able to find the ephemeral port that it wasusing:$ netstat -ntl|grep 192.168.1.5|grep 22 tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 ESTABLISHED Now we've got an ephemeral port to work with. Some clever awk- and sed-fooand you can grab JUST that port. Capturing the traffic is simple enough…. $ tcpdump src port 61697 So, we've got the traffic for this individual socket, but who does itbelongto? $ sudo lsof -i 4tcp:61697 Password: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) There's your pid and process name. This was fun. Thanks for the challenge. :) -- Hans Kokx On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: I have been trying to figure out a way to "capture/filter" network traffic per process, not per host/interface in a windows environment "even though I'd be curious to know how that could be done in *n?x/OS X" . What I want to achieve is create a PCAP file for each process id that was executed and communicated over the network. help, please. Thanks and regards, Sherif. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" allison nixon (Mar 12)
- Re: PCAP file "per-running-process" Carlos Perez (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Robin Wood (Mar 12)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 12)
- Re: PCAP file "per-running-process" Jim Halfpenny (Mar 12)
- Re: PCAP file "per-running-process" Sandro Gauci (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 13)
- Re: PCAP file "per-running-process" allison nixon (Mar 13)
- Re: PCAP file "per-running-process" Frank McClain (Mar 13)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)