Which process sent the UDP packet?

Home Forums Discussions Support Portal Which process sent the UDP packet?

Tagged: 

This topic contains 4 replies, has 2 voices, and was last updated by  sommainc 2 months, 3 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #11030

    sommainc
    Participant

    I want to know which process sent the UDP packet.

    I saw a comment on https://www.ntkernel.com/forums/topic/cget-the-process-a-packet-was-sent-by/. In case of TCP, local <-> remote information can be retrieved through the extended table, but in case of UDP (as far as I know), can get only UDP binding information.

    When sending UDP packets from local to remote, is there any way to know which process sent the packet?

    #11031

    Vadim Smirnov
    Moderator

    You can use GetExtendedUdpTable to find the dwLocalAddr:dwLocalPort to dwOwningPid association and then if necessary call GetOwnerModuleFromUdpEntry with TCPIP_OWNER_MODULE_INFO_BASIC to obtain pModuleName and pModulePath.

    #11032

    sommainc
    Participant

    According to MSDN and my own test, the information that we can get from MIB_UDPTABLE_OWNER_MODULE or MIB_UDPTABLE_OWNER_PID (We can get those by GetExtendedUdpTable(..., UDP_TABLE_OWNER_MODULE, ...)) is only UDP listener process’s information.

    https://docs.microsoft.com/en-us/windows/win32/api/udpmib/ns-udpmib-_mib_udptable_owner_pid

    >> The MIB_UDPTABLE_OWNER_PID structure contains the User Datagram Protocol (UDP) listener table for IPv4 on the local computer. The table also includes the process ID (PID) that issued the call to the bind function for each UDP endpoint.

    But I need process information that called UDP sendto(). Is there anything that I know wrong?

    thanks.

    #11033

    Vadim Smirnov
    Moderator

    Although sendto() can be called on unbound socket according MSDN “If the socket is unbound, unique values are assigned to the local association by the system, and the socket is then marked as bound”. So, I suspect that this is equivalent to calling bind explicitly. However, worth to test to ensure.

    #11034

    sommainc
    Participant

    Leaving this comment for records.

    Even if you do not explicitly call the bind () function, windows binds the local port dynamically as described in MSDN, so you can find the information in the UDP extended table.

    ref: https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-sendto

    In previous tests, it was a simple coding mistake that we could not get a PID.
    thanks for your help, Vadim Smirnov 🙂

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.