Microsoft Network Monitor 3.2 Beta for Tracking Traffic Origination
I'm always looking for a tool to map the traffic to or from a host with the process receiving or sending it. Today I noticed that Microsoft Network Monitor offers a beta that appears to have the functionality, according to this Netmon blog post. I visited the Netmon site on Microsoft Connect (registration required) to download beta 3.2. I ran two live capture tests to see what Netmon 3.2 beta would report.
As you can see in this first screen capture, the vast majority of traffic is considered "unknown." I tried using ping.exe in a cmd.exe terminal. I tried using ftp.exe in the same cmd.exe terminal. I used Firefox to watch a YouTube video, and I used Microsoft Media Player to view some video. It seemed that the more time an activity occupied, the more likely Netmon would associate it with the right process. For example, downloading a FreeBSD .iso through Firefox appeared associated with Firefox, but visiting most Web sites did not.
I tried a second session where I updated Adobe Acrobat Reader, launched Skype, and a few other actions. Again the vast majority of traffic is "unknown," although I could tell much of it was caused by launching Skype.
Does anyone else use this program and get different results? Incidentally I took these actions as Administrator to ensure I didn't run into any permissions problems, but it doesn't seem to have made a difference here.
Do you have a program to map traffic to generating processes, live?
As you can see in this first screen capture, the vast majority of traffic is considered "unknown." I tried using ping.exe in a cmd.exe terminal. I tried using ftp.exe in the same cmd.exe terminal. I used Firefox to watch a YouTube video, and I used Microsoft Media Player to view some video. It seemed that the more time an activity occupied, the more likely Netmon would associate it with the right process. For example, downloading a FreeBSD .iso through Firefox appeared associated with Firefox, but visiting most Web sites did not.
I tried a second session where I updated Adobe Acrobat Reader, launched Skype, and a few other actions. Again the vast majority of traffic is "unknown," although I could tell much of it was caused by launching Skype.
Does anyone else use this program and get different results? Incidentally I took these actions as Administrator to ensure I didn't run into any permissions problems, but it doesn't seem to have made a difference here.
Do you have a program to map traffic to generating processes, live?
Comments
If netstat can map active connections to PID I don't see why NM couldn't do the same.
For years now (in various corporate settings), I have sourced previously undetected malware infections by looking at outbound dropped traffic and then used psexec and tcpvcon to capture the full path to the application that is generating the traffic.
Then I would psexec and pscp the file back to an scponly drop point for further analysis.
Of course this requires you to catch the culprit in the act. And in my experience modern malware authors have gotten smarter about not blasting the wire trying to phone home. For this purpose I wrote a prototype netwatch.pl script which performs the same action as tcpvcon, but allows you to psexec it once and set it to loop until it matches the selected criteria (src/dst IP or port).
http://code.google.com/p/ospy/
http://www.nexthink.com/home
marc
While TCPView (and TCPVCon, it's command line equivilent) is great at point it time, it requires you to catch the process in action.
Port reporter will log to a file each and every TCP connection made.
I'm off to check out NexThink.
Regards
Lee
Cheers,
Dianna
Visit the link I posted, log in with your Live account, and you'll go straight to the right page.
Pretty nice.
Cheers
Lee
Cheers
Lee