- This topic has 7 replies, 2 voices, and was last updated 2 years, 4 months ago by
.
-
Posts
-
Hi,
is it possible determine source/target app of catched packet(s)?
Any sample? In .Net :]Thanks
Jerry
Hi,
The only sample which demonstrates process lookup (using IP Helper API) is Socksify, and it is in C++:
https://github.com/wiresock/ndisapi/tree/master/examples/cpp/socksify
However, it is not a big deal to integrate process_lookup.h into .NET C++/CLI mixed class library (ndisapi.net) and use it there.
Hi,
thanks for quick answer!
You show me direction, very appreciated.
Integration anything to mentioned class is out of my skills, C++ is dark side :]
Waiting for ndisapi.net upgrade ;]
Jerry
The only thing you need is a couple of IPHELPER API functions, GetExtendedTcpTable and GetExtendedUdpTable. Then just match IP/port information against information extracted from the packet.
If you need to do that in C# then here is the sample code https://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G
Hi,
i’m little bit experimented with GetExtendedTcpTable / GetExtendedUdpTable. After decoding packet with PacketDotNet library, I check this packet in proper table. Working good, no performanece issue (tested with torrent client running :-).
Two problems (now):
Short livetime of endpoint in table – solved with Event trace monitor and delaying remove endpoint from another endpoint table..
But a huge number of packets are not found in table – probably correct endpoint is not created yet… And because torrent/web browser comms contains lot of “short” communications – 2-3 packets, I’m unable identify owning process. Solution with ETW doesnt wotk, because events has 2-3 sec delays…
Any idea? Postpone these (all?) packets? 🙁
My target is:
– store statistic about apps comms
– control this comms by user filter – simple “firewall”Thanks.
Jerry
You should consider one thing about GetExtendedTcpTable / GetExtendedUdpTable. These functions return you only connections available to the application (more precisely, to the user running the application). It is not a problem if you run as a service under LocalSystem account, but if you execute it under standard user account, you won’t see processes from other users (and services).
I’m not sure with this…
My app runs with admin privileges under standard account and I see endpoints for svchost (Local service/SYSTEM acc), Idle process, System process and so on…
- You must be logged in to reply to this topic.