iphlpapi icmp, udp - map traffic to originating process - Programmer

This is a discussion on iphlpapi icmp, udp - map traffic to originating process - Programmer ; Greetings, Here's my situation: I'm looking to clean up rogue traffic on a network. I use iphlpapi.dll to track tcp traffic to it's originating process with gettctptable() - this is great, it does exactly what I want. I'd like something ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: iphlpapi icmp, udp - map traffic to originating process

  1. iphlpapi icmp, udp - map traffic to originating process

    Greetings,
    Here's my situation:
    I'm looking to clean up rogue traffic on a network. I use iphlpapi.dll to
    track tcp traffic to it's originating process with gettctptable() - this is
    great, it does exactly what I want. I'd like something that can do the same
    for icmp and udp. I see there's a getudptable but it has no dst info. So
    suppose I have a machine that's trying to talk to dst machine on port 5545 -
    is there no hooks I can use to tell which process is creating this traffic?
    Similar with icmp - I have a machine that is spewing icmp now and again and
    would like to narrow it down to a process if possible.

    I'm predicting this can't be done... gettcptable does what I want because it
    grabs the state table, it's not actually telling me when and which
    application is making a network call (I assume the app name in this case is
    just a part of the state table)... Although these personal firewalls
    (kerio, zonelabs etc) can do it - there's got to be a way? THERE MUST BE A
    WAY!!!

    Andy





  2. Re: iphlpapi icmp, udp - map traffic to originating process

    If you want to know which process open the socket look at netstatp on
    http://www.sysinternals.com/files/netstatp.zip but be aware that it work on
    XP only
    Arkady

    "Andy" wrote in message
    news:1033dus2l6dqj45@corp.supernews.com...
    > Greetings,
    > Here's my situation:
    > I'm looking to clean up rogue traffic on a network. I use iphlpapi.dll to
    > track tcp traffic to it's originating process with gettctptable() - this

    is
    > great, it does exactly what I want. I'd like something that can do the

    same
    > for icmp and udp. I see there's a getudptable but it has no dst info. So
    > suppose I have a machine that's trying to talk to dst machine on port

    5545 -
    > is there no hooks I can use to tell which process is creating this

    traffic?
    > Similar with icmp - I have a machine that is spewing icmp now and again

    and
    > would like to narrow it down to a process if possible.
    >
    > I'm predicting this can't be done... gettcptable does what I want because

    it
    > grabs the state table, it's not actually telling me when and which
    > application is making a network call (I assume the app name in this case

    is
    > just a part of the state table)... Although these personal firewalls
    > (kerio, zonelabs etc) can do it - there's got to be a way? THERE MUST BE

    A
    > WAY!!!
    >
    > Andy
    >
    >
    >
    >




  3. Re: iphlpapi icmp, udp - map traffic to originating process

    netstatp only uses gettcptable, and getudptable from iphlpapi.dll which does
    not track udp endpoints nor icmp.



    "Arkady Frenkel" wrote in message
    news:%23ih%23nRS9DHA.3456@TK2MSFTNGP09.phx.gbl...
    > If you want to know which process open the socket look at netstatp on
    > http://www.sysinternals.com/files/netstatp.zip but be aware that it work

    on
    > XP only
    > Arkady
    >
    > "Andy" wrote in message
    > news:1033dus2l6dqj45@corp.supernews.com...
    > > Greetings,
    > > Here's my situation:
    > > I'm looking to clean up rogue traffic on a network. I use iphlpapi.dll

    to
    > > track tcp traffic to it's originating process with gettctptable() - this

    > is
    > > great, it does exactly what I want. I'd like something that can do the

    > same
    > > for icmp and udp. I see there's a getudptable but it has no dst info.

    So
    > > suppose I have a machine that's trying to talk to dst machine on port

    > 5545 -
    > > is there no hooks I can use to tell which process is creating this

    > traffic?
    > > Similar with icmp - I have a machine that is spewing icmp now and again

    > and
    > > would like to narrow it down to a process if possible.
    > >
    > > I'm predicting this can't be done... gettcptable does what I want

    because
    > it
    > > grabs the state table, it's not actually telling me when and which
    > > application is making a network call (I assume the app name in this case

    > is
    > > just a part of the state table)... Although these personal firewalls
    > > (kerio, zonelabs etc) can do it - there's got to be a way? THERE MUST

    BE
    > A
    > > WAY!!!
    > >
    > > Andy
    > >
    > >
    > >
    > >

    >
    >




  4. Re: iphlpapi icmp, udp - map traffic to originating process

    Netstatp used undocumented functions to connect owner of socket with port ,
    that what you if I understand correctly.
    Arkady

    "Andy" wrote in message
    news:1034g7jjoosqu19@corp.supernews.com...
    > netstatp only uses gettcptable, and getudptable from iphlpapi.dll which

    does
    > not track udp endpoints nor icmp.
    >
    >
    >
    > "Arkady Frenkel" wrote in message
    > news:%23ih%23nRS9DHA.3456@TK2MSFTNGP09.phx.gbl...
    > > If you want to know which process open the socket look at netstatp on
    > > http://www.sysinternals.com/files/netstatp.zip but be aware that it

    work
    > on
    > > XP only
    > > Arkady
    > >
    > > "Andy" wrote in message
    > > news:1033dus2l6dqj45@corp.supernews.com...
    > > > Greetings,
    > > > Here's my situation:
    > > > I'm looking to clean up rogue traffic on a network. I use

    iphlpapi.dll
    > to
    > > > track tcp traffic to it's originating process with gettctptable() -

    this
    > > is
    > > > great, it does exactly what I want. I'd like something that can do

    the
    > > same
    > > > for icmp and udp. I see there's a getudptable but it has no dst info.

    > So
    > > > suppose I have a machine that's trying to talk to dst machine on port

    > > 5545 -
    > > > is there no hooks I can use to tell which process is creating this

    > > traffic?
    > > > Similar with icmp - I have a machine that is spewing icmp now and

    again
    > > and
    > > > would like to narrow it down to a process if possible.
    > > >
    > > > I'm predicting this can't be done... gettcptable does what I want

    > because
    > > it
    > > > grabs the state table, it's not actually telling me when and which
    > > > application is making a network call (I assume the app name in this

    case
    > > is
    > > > just a part of the state table)... Although these personal firewalls
    > > > (kerio, zonelabs etc) can do it - there's got to be a way? THERE MUST

    > BE
    > > A
    > > > WAY!!!
    > > >
    > > > Andy
    > > >
    > > >
    > > >
    > > >

    > >
    > >

    >
    >




+ Reply to Thread