PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCAP file "per-running-process"

From: Carlos Perez <carlos_perez () darkoperator com>
Date: Tue, 12 Mar 2013 06:59:40 -0400
In windows you can use http://www.microsoft.com/en-us/download/details.aspx?id=4865 to look at traffic by process on a 
*nix system i do not know of a tool that allows it
Sent from my iPhone

On Mar 12, 2013, at 3:53 AM, allison nixon <elsakoo () gmail com> wrote:


so ive been playing with process monitor lately and its a pretty nifty tool
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

it logs everything that's going on in windows.  I'm not familiar enough with windows internals to know at what layer 
this operates at, but one particular kind of log entry would interest you.  any time a connection is made it logs the 
process, and the src/dest ip and src/dest ports.  you could run a packet capture and link each packet with the 
process that generated it.  carbon black is another tool i've been messing with, and it also links network 
connections to the originating process, and presents the data better than process monitor.

i don't see any easy solution for this problem but it looks like there's some sort of event stream within windows 
that you can hook into to provide the connection <-> process info, then you'll have to correlate it with your packet 
capture.

On Tue, Mar 12, 2013 at 1:03 AM, Sherif El-Deeb <archeldeeb () gmail com> wrote:

Wow! ephemeral ports! that was quick and dirty :)

The downside of your approach is that:
1) it is "ephemeral port" based, not "process based" ... allow me to
demonstrate:
 - iexplorer.exe communicated to google.com:80 using "ephemeral
port:12345", got what it was looking for, connection FIN, 12345
traffic does not belong to iexplorer.exe anymore... another process
runs ... and used 12345, we have a problem "I know this is a low
possibility, and I know that I may pair the process:port pair as the
filename to avoid confusion, but I hope you got my point".

2) we have to keep an infinite loop running to iterate through
"netstat" and parse results, then start tcpdump for each new ephemeral
port "one process may be communicating to many hosts", then keep track
of the spawned tcpdump(s) so they may be killed when the
"communicating-process-specific-ephemeral-port" ends communications,
this is guaranteed to kill all the cores the box has "it's not only
the loop", and will *surely* miss lots of stuff since the loop might
not be quick enough, needless to say that mergecap-ing is going to be
messy.

3) Fire-and-forget outbound UDP traffic?

I'm glad you had fun ;) I definitely appreciated your idea of
utilizing ephemeral ports "thank you", but I will keep looking for
something "truly" process oriented that is guaranteed to not miss
anything "I don't mind 100% CPU".

Regards,
Sherif.

On Tue, Mar 12, 2013 at 7:18 AM, Hans Kokx <skipmeister123 () gmail com> wrote:

This sounded like an interesting challenge, so I whipped something together
that seems to work.  Maybe it's what you're looking for, or maybe not.

So, the idea I came up with is relatively simple: each process is going to
open an ephemeral port to connect to the known port of the service.  Let's
take, for example, a simple SOCKS5 proxy I've tossed together over SSH:

nohup ssh -D 8000 -C -N me () myhost com >/dev/null 2>&1 &

I typically use this everywhere that's not at home, and push ALL my traffic
through it. Hey, security.

Anywho, on my mac, I was able to find the ephemeral port that it was using:

$ netstat -ntl|grep 192.168.1.5|grep 22
tcp4       0      0  192.168.1.156.61697    192.168.1.5.22
ESTABLISHED

Now we've got an ephemeral port to work with.  Some clever awk- and sed- foo
and you can grab JUST that port.

Capturing the traffic is simple enough….

$ tcpdump src port 61697

So, we've got the traffic for this individual socket, but who does it belong
to?

$ sudo lsof -i 4tcp:61697
Password:
COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ssh     17878 hkokx    3u  IPv4 0x225a0a58298b9315      0t0  TCP
192.168.1.156:61697->myhost.com:ssh (ESTABLISHED)

There's your pid and process name.

This was fun. Thanks for the challenge. :)
--
Hans Kokx

On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote:

I have been trying to figure out a way to "capture/filter" network
traffic per process, not per host/interface in a windows environment
"even though I'd be curious to know how that could be done in *n?x/OS
X" .

What I want to achieve is create a PCAP file for each process id that
was executed and communicated over the network.

help, please.
Thanks and regards,

Sherif.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
_________________________________
Note to self: Pillage BEFORE burning.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: