Re: PCAP file "per-running-process"

[Frank McClain <frank.mc.42 () gmail com>]

Don't know how far down that road it goes, but along the lines of
CarbonBlack is Immunity's El Jefe (open source).

Frank



Frank McClain


On Wed, Mar 13, 2013 at 2:28 PM, allison nixon <elsakoo () gmail com> wrote:

> no problem.  i think your procmon problem might be solved if you use
> carbon black.  i remember the outputs contain unresolved ip addresses, port
> number, and protocol(tcp/udp).  it has a 30 day free trial.
>
>
> On Wed, Mar 13, 2013 at 2:51 PM, Sherif El-Deeb <archeldeeb () gmail com>wrote:
>
> > - So far the closest thing to what I am looking for is Microsoft
> > Network Monitor "Thank you Carlos!", it tries its best to figure out
> > the application name ... tries its best, but it is NOT accurate due to
> > the way the developers decided to achieve this feature "take snapshot
> > of network connections on specific time intervals", this will lead to
> > missing short-lived processes/connections,  please read this post if
> > you are interested in the details:
> >
> > http://social.technet.microsoft.com/Forums/en-US/netmon/thread/aa1d0602-edbf-4679-a090-67d6d6fd04ee
> >
> > If we are fine with that, we can create a list of running processes
> > then do something like (for each running process) do (nmcap /network *
> > /capture "Conversation.ProcessName == 'ProcessName.exe'" /File
> > D:\ProcessName.cap /CaptureProcesses") and call it a day.
> >
> > Thank you Carlos, yet again.
> >
> > - When Allison mentioned Carbon Black and procmon ... it suddenly came
> > to me, there's no need to do it "live", my (alternative) approach will
> > be as follows:
> > * Capture ALL traffic using dumpcap/tshark "nothing will be ever missed"
> > * Record all network activity using procmon "nothing will be ever missed"
> > * export procmon log as CSV
> > * parse CSV file, get unique process names, ports, hosts, timestamps
> > ...etc. per process
> > * Use tshark to read the full PCAP then create a new file using a "-R"
> > filter prepared with some CLKF using the parsed info from the CSV file
> > and since both procmon and tshark are running on the same box, there
> > should be no discrepancies between timestamps "right?"
> >
> > The proplem(s) I currently have are the following:
> > - I can't find  a way to make ProcMon *NOT* resolve IP addresses and
> > ports to services "443->HTTPS" (!)
> > - I can't find  a way to make ProcMon export date AND time ... not
> > only time. "that's more of an annoyance than a problem"
> >
> > Thank you guys "+ Allison Nixon", If I reached something mature enough
> > will ping the list with the update.
> > Best regards,
> > Sherif.
> >
> > On Tue, Mar 12, 2013 at 8:22 PM, Sandro Gauci <sandro () enablesecurity com>
> > wrote:
> > > On OSX, Little Snitch (commercial desktop firewall) can dump pcaps for
> > > selected processes. Only tried it once myself (and I'm not an active
> > little
> > > snitch user) but it seems pretty cool and similar to what you're asking
> > for:
> > >
> > http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/
> > > Sandro Gauci
> > > Penetration tester and security researcher
> > > Email: sandro () enablesecurity com
> > > Web: http://enablesecurity.com/
> > > PGP: 8028 D017 2207 1786 6403  CD45 2B02 CBFE 9549 3C0C
> > >
> > >
> > > On Tue, Mar 12, 2013 at 1:28 PM, Jim Halfpenny <jim.halfpenny () gmail com
> > >
> > > wrote:
> > > > Hi,
> > > > Slightly off topic but a useful feature of iptables on Linux is the
> > > > ability to filter traffic by user. The link below gives an example of
> > how to
> > > > block traffic for a particular user.
> > http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
> > > > Another great option is --tee which can copy traffic based on whatever
> > > > rules you apply.
> > http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/
> > > > So if you wanted to record on a per-user basis on Linux (useful for
> > > > service/daemon users) you could user ipt_user and tee functions to
> > mirror
> > > > that traffic and tcpdump it out there or just use ipt_user to log
> > flows. Not
> > > > entirely relevant but I hope it's useful.
> > > >
> > > > Regards,
> > > > Jim
> > > >
> > > > On 12 March 2013 11:54, Hans Kokx <skipmeister123 () gmail com> wrote:
> > > > > > If you add the p parameter to netstat it gives you the process id
> > > > > > associated with the connection.
> > > > >
> > > > > In Linux, yeah. Mac doesn't support -p though. :(
> > > > >
> > > > > --
> > > > > Hans Kokx
> > > > >
> > > > > On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote:
> > > > >
> > > > >
> > > > > On Mar 12, 2013 4:20 AM, "Hans Kokx" <skipmeister123 () gmail com>
> > wrote:
> > > > > > This sounded like an interesting challenge, so I whipped something
> > > > > > together that seems to work.  Maybe it's what you're looking for,
> > or maybe
> > > > > > not.
> > > > > >
> > > > > > So, the idea I came up with is relatively simple: each process is
> > going
> > > > > > to open an ephemeral port to connect to the known port of the
> > service.
> > > > > > Let's take, for example, a simple SOCKS5 proxy I've tossed together
> > over
> > > > > > SSH:
> > > > > >
> > > > > > nohup ssh -D 8000 -C -N me () myhost com >/dev/null 2>&1 &
> > > > > >
> > > > > > I typically use this everywhere that's not at home, and push ALL my
> > > > > > traffic through it. Hey, security.
> > > > > >
> > > > > > Anywho, on my mac, I was able to find the ephemeral port that it was
> > > > > > using:
> > > > > >
> > > > > > $ netstat -ntl|grep 192.168.1.5|grep 22
> > > > > > tcp4       0      0  192.168.1.156.61697    192.168.1.5.22
> > > > > > ESTABLISHED
> > > > > >
> > > > > > Now we've got an ephemeral port to work with.  Some clever awk- and
> > > > > > sed- foo and you can grab JUST that port.
> > > > > >
> > > > > > Capturing the traffic is simple enough….
> > > > > >
> > > > > > $ tcpdump src port 61697
> > > > > >
> > > > > > So, we've got the traffic for this individual socket, but who does
> > it
> > > > > > belong to?
> > > > > >
> > > > > > $ sudo lsof -i 4tcp:61697
> > > > > > Password:
> > > > > > COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE
> > NAME
> > > > > > ssh     17878 hkokx    3u  IPv4 0x225a0a58298b9315      0t0  TCP
> > > > > > 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED)
> > > > > >
> > > > > > There's your pid and process name.
> > > > >
> > > > > If you add the p parameter to netstat it gives you the process id
> > > > > associated with the connection.
> > > > >
> > > > > Robin
> > > > >
> > > > > > This was fun. Thanks for the challenge. :)
> > > > > > --
> > > > > > Hans Kokx
> > > > > >
> > > > > > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote:
> > > > > > > I have been trying to figure out a way to "capture/filter" network
> > > > > > > traffic per process, not per host/interface in a windows
> > environment
> > > > > > > "even though I'd be curious to know how that could be done in
> > *n?x/OS
> > > > > > > X" .
> > > > > > >
> > > > > > > What I want to achieve is create a PCAP file for each process id
> > that
> > > > > > > was executed and communicated over the network.
> > > > > > >
> > > > > > > help, please.
> > > > > > > Thanks and regards,
> > > > > > >
> > > > > > > Sherif.
> > > > > > > _______________________________________________
> > > > > > > Pauldotcom mailing list
> > > > > > > Pauldotcom () mail pauldotcom com
> > > > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > > > Main Web Site: http://pauldotcom.com
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Pauldotcom mailing list
> > > > > > Pauldotcom () mail pauldotcom com
> > > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > > Main Web Site: http://pauldotcom.com
> > > > >
> > > > > _______________________________________________
> > > > > Pauldotcom mailing list
> > > > > Pauldotcom () mail pauldotcom com
> > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > Main Web Site: http://pauldotcom.com
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Pauldotcom mailing list
> > > > > Pauldotcom () mail pauldotcom com
> > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > Main Web Site: http://pauldotcom.com
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
>
> --
> _________________________________
> Note to self: Pillage BEFORE burning.
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com