Friday, September 05, 2008

Microsoft Network Monitor 3.2 Beta for Tracking Traffic Origination

I'm always looking for a tool to map the traffic to or from a host with the process receiving or sending it. Today I noticed that Microsoft Network Monitor offers a beta that appears to have the functionality, according to this Netmon blog post. I visited the Netmon site on Microsoft Connect (registration required) to download beta 3.2. I ran two live capture tests to see what Netmon 3.2 beta would report.



As you can see in this first screen capture, the vast majority of traffic is considered "unknown." I tried using ping.exe in a cmd.exe terminal. I tried using ftp.exe in the same cmd.exe terminal. I used Firefox to watch a YouTube video, and I used Microsoft Media Player to view some video. It seemed that the more time an activity occupied, the more likely Netmon would associate it with the right process. For example, downloading a FreeBSD .iso through Firefox appeared associated with Firefox, but visiting most Web sites did not.



I tried a second session where I updated Adobe Acrobat Reader, launched Skype, and a few other actions. Again the vast majority of traffic is "unknown," although I could tell much of it was caused by launching Skype.

Does anyone else use this program and get different results? Incidentally I took these actions as Administrator to ensure I didn't run into any permissions problems, but it doesn't seem to have made a difference here.

Do you have a program to map traffic to generating processes, live?

14 comments:

The Serrano Boy said...

when would be its release date???

neils said...

I'm seeing the same thing on my workstation.

If netstat can map active connections to PID I don't see why NM couldn't do the same.

orekdm said...

I would highly recommend tcpvcon which is the Sysinternals command line version of Tcpview. Netstat (-anb) doesn't provide a full path to the executable and seems to run very slow in some environments for some reason.

For years now (in various corporate settings), I have sourced previously undetected malware infections by looking at outbound dropped traffic and then used psexec and tcpvcon to capture the full path to the application that is generating the traffic.

Then I would psexec and pscp the file back to an scponly drop point for further analysis.

Of course this requires you to catch the culprit in the act. And in my experience modern malware authors have gotten smarter about not blasting the wire trying to phone home. For this purpose I wrote a prototype netwatch.pl script which performs the same action as tcpvcon, but allows you to psexec it once and set it to loop until it matches the selected criteria (src/dst IP or port).

pb said...

I recommend you check out oSpy:
http://code.google.com/p/ospy/

Anonymous said...

Nexthink does quite a lot of things and is particularly process-intrusive
http://www.nexthink.com/home
marc

Anonymous said...

Microsoft's "Port Reporter" provides good results from most TCP traffic, UDP is less thorough.

While TCPView (and TCPVCon, it's command line equivilent) is great at point it time, it requires you to catch the process in action.

Port reporter will log to a file each and every TCP connection made.

I'm off to check out NexThink.

Richard Bejtlich said...

Sometimes I should just check my own blog... looks like I noticed Port Reporter in 2004.

SynJunkie said...

A nice little tool if you do want to focus on the network activity of a particular application is SocketSniff from NirSoft. It's a stand alone exe that runs pretty well.

Regards

Lee

Anonymous said...
This comment has been removed by a blog administrator.
Increase Web Site Traffic said...

Wow when is this going to be released? I cant find it anywhere!

Cheers,
Dianna

Richard Bejtlich said...

Dianna,

Visit the link I posted, log in with your Live account, and you'll go straight to the right page.

SynJunkie said...

Richard, you may find this useful. SysInternals (OK Microsoft) have upgraded procmon to version 2 which lists network connectivity of individual processes.

Pretty nice.

Cheers

Lee

SynJunkie said...

Oh, and just looking at the options. The "Boot Logging" feature would give you some of the same detail as Port Reporter i guess, along with a whole lot more that you get withthe tool such as file and registry activity.

Cheers

Lee

Anonymous said...

have a look at SecurActive NSS solutions. Pretty good tool if you don't want to waste your time looking at all your packets with your sniffer.