PaulDotCom mailing list archives
Re: PCAP file "per-running-process"
From: Frank McClain <frank.mc.42 () gmail com>
Date: Wed, 13 Mar 2013 14:59:04 -0500
Don't know how far down that road it goes, but along the lines of CarbonBlack is Immunity's El Jefe (open source). Frank Frank McClain On Wed, Mar 13, 2013 at 2:28 PM, allison nixon <elsakoo () gmail com> wrote:
no problem. i think your procmon problem might be solved if you use carbon black. i remember the outputs contain unresolved ip addresses, port number, and protocol(tcp/udp). it has a 30 day free trial. On Wed, Mar 13, 2013 at 2:51 PM, Sherif El-Deeb <archeldeeb () gmail com>wrote:- So far the closest thing to what I am looking for is Microsoft Network Monitor "Thank you Carlos!", it tries its best to figure out the application name ... tries its best, but it is NOT accurate due to the way the developers decided to achieve this feature "take snapshot of network connections on specific time intervals", this will lead to missing short-lived processes/connections, please read this post if you are interested in the details: http://social.technet.microsoft.com/Forums/en-US/netmon/thread/aa1d0602-edbf-4679-a090-67d6d6fd04ee If we are fine with that, we can create a list of running processes then do something like (for each running process) do (nmcap /network * /capture "Conversation.ProcessName == 'ProcessName.exe'" /File D:\ProcessName.cap /CaptureProcesses") and call it a day. Thank you Carlos, yet again. - When Allison mentioned Carbon Black and procmon ... it suddenly came to me, there's no need to do it "live", my (alternative) approach will be as follows: * Capture ALL traffic using dumpcap/tshark "nothing will be ever missed" * Record all network activity using procmon "nothing will be ever missed" * export procmon log as CSV * parse CSV file, get unique process names, ports, hosts, timestamps ...etc. per process * Use tshark to read the full PCAP then create a new file using a "-R" filter prepared with some CLKF using the parsed info from the CSV file and since both procmon and tshark are running on the same box, there should be no discrepancies between timestamps "right?" The proplem(s) I currently have are the following: - I can't find a way to make ProcMon *NOT* resolve IP addresses and ports to services "443->HTTPS" (!) - I can't find a way to make ProcMon export date AND time ... not only time. "that's more of an annoyance than a problem" Thank you guys "+ Allison Nixon", If I reached something mature enough will ping the list with the update. Best regards, Sherif. On Tue, Mar 12, 2013 at 8:22 PM, Sandro Gauci <sandro () enablesecurity com> wrote:On OSX, Little Snitch (commercial desktop firewall) can dump pcaps for selected processes. Only tried it once myself (and I'm not an activelittlesnitch user) but it seems pretty cool and similar to what you're askingfor:http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/Sandro Gauci Penetration tester and security researcher Email: sandro () enablesecurity com Web: http://enablesecurity.com/ PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C On Tue, Mar 12, 2013 at 1:28 PM, Jim Halfpenny <jim.halfpenny () gmail com wrote:Hi, Slightly off topic but a useful feature of iptables on Linux is the ability to filter traffic by user. The link below gives an example ofhow toblock traffic for a particular user.http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.htmlAnother great option is --tee which can copy traffic based on whatever rules you apply.http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/So if you wanted to record on a per-user basis on Linux (useful for service/daemon users) you could user ipt_user and tee functions tomirrorthat traffic and tcpdump it out there or just use ipt_user to logflows. Notentirely relevant but I hope it's useful. Regards, Jim On 12 March 2013 11:54, Hans Kokx <skipmeister123 () gmail com> wrote:If you add the p parameter to netstat it gives you the process id associated with the connection.In Linux, yeah. Mac doesn't support -p though. :( -- Hans Kokx On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote: On Mar 12, 2013 4:20 AM, "Hans Kokx" <skipmeister123 () gmail com>wrote:This sounded like an interesting challenge, so I whipped something together that seems to work. Maybe it's what you're looking for,or maybenot. So, the idea I came up with is relatively simple: each process isgoingto open an ephemeral port to connect to the known port of theservice.Let's take, for example, a simple SOCKS5 proxy I've tossed togetheroverSSH: nohup ssh -D 8000 -C -N me () myhost com >/dev/null 2>&1 & I typically use this everywhere that's not at home, and push ALL my traffic through it. Hey, security. Anywho, on my mac, I was able to find the ephemeral port that it was using: $ netstat -ntl|grep 192.168.1.5|grep 22 tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 ESTABLISHED Now we've got an ephemeral port to work with. Some clever awk- and sed- foo and you can grab JUST that port. Capturing the traffic is simple enough…. $ tcpdump src port 61697 So, we've got the traffic for this individual socket, but who doesitbelong to? $ sudo lsof -i 4tcp:61697 Password: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODENAMEssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) There's your pid and process name.If you add the p parameter to netstat it gives you the process id associated with the connection. RobinThis was fun. Thanks for the challenge. :) -- Hans Kokx On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote:I have been trying to figure out a way to "capture/filter" network traffic per process, not per host/interface in a windowsenvironment"even though I'd be curious to know how that could be done in*n?x/OSX" . What I want to achieve is create a PCAP file for each process idthatwas executed and communicated over the network. help, please. Thanks and regards, Sherif. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: PCAP file "per-running-process", (continued)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" allison nixon (Mar 12)
- Re: PCAP file "per-running-process" Carlos Perez (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Robin Wood (Mar 12)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 12)
- Re: PCAP file "per-running-process" Jim Halfpenny (Mar 12)
- Re: PCAP file "per-running-process" Sandro Gauci (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 13)
- Re: PCAP file "per-running-process" allison nixon (Mar 13)
- Re: PCAP file "per-running-process" Frank McClain (Mar 13)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)