As you can see in this first screen capture, the vast majority of traffic is considered "unknown." I tried using ping.exe in a cmd.exe terminal. I tried using ftp.exe in the same cmd.exe terminal. I used Firefox to watch a YouTube video, and I used Microsoft Media Player to view some video. It seemed that the more time an activity occupied, the more likely Netmon would associate it with the right process. For example, downloading a FreeBSD .iso through Firefox appeared associated with Firefox, but visiting most Web sites did not.
I tried a second session where I updated Adobe Acrobat Reader, launched Skype, and a few other actions. Again the vast majority of traffic is "unknown," although I could tell much of it was caused by launching Skype.
Does anyone else use this program and get different results? Incidentally I took these actions as Administrator to ensure I didn't run into any permissions problems, but it doesn't seem to have made a difference here.
Do you have a program to map traffic to generating processes, live?
14 comments:
when would be its release date???
I'm seeing the same thing on my workstation.
If netstat can map active connections to PID I don't see why NM couldn't do the same.
I would highly recommend tcpvcon which is the Sysinternals command line version of Tcpview. Netstat (-anb) doesn't provide a full path to the executable and seems to run very slow in some environments for some reason.
For years now (in various corporate settings), I have sourced previously undetected malware infections by looking at outbound dropped traffic and then used psexec and tcpvcon to capture the full path to the application that is generating the traffic.
Then I would psexec and pscp the file back to an scponly drop point for further analysis.
Of course this requires you to catch the culprit in the act. And in my experience modern malware authors have gotten smarter about not blasting the wire trying to phone home. For this purpose I wrote a prototype netwatch.pl script which performs the same action as tcpvcon, but allows you to psexec it once and set it to loop until it matches the selected criteria (src/dst IP or port).
I recommend you check out oSpy:
http://code.google.com/p/ospy/
Nexthink does quite a lot of things and is particularly process-intrusive
http://www.nexthink.com/home
marc
Microsoft's "Port Reporter" provides good results from most TCP traffic, UDP is less thorough.
While TCPView (and TCPVCon, it's command line equivilent) is great at point it time, it requires you to catch the process in action.
Port reporter will log to a file each and every TCP connection made.
I'm off to check out NexThink.
Sometimes I should just check my own blog... looks like I noticed Port Reporter in 2004.
A nice little tool if you do want to focus on the network activity of a particular application is SocketSniff from NirSoft. It's a stand alone exe that runs pretty well.
Regards
Lee
Wow when is this going to be released? I cant find it anywhere!
Cheers,
Dianna
Dianna,
Visit the link I posted, log in with your Live account, and you'll go straight to the right page.
Richard, you may find this useful. SysInternals (OK Microsoft) have upgraded procmon to version 2 which lists network connectivity of individual processes.
Pretty nice.
Cheers
Lee
Oh, and just looking at the options. The "Boot Logging" feature would give you some of the same detail as Port Reporter i guess, along with a whole lot more that you get withthe tool such as file and registry activity.
Cheers
Lee
have a look at SecurActive NSS solutions. Pretty good tool if you don't want to waste your time looking at all your packets with your sniffer.
Post a Comment