WinPacketFilter – determine packet owner app

Home Forums Discussions General Discussion WinPacketFilter – determine packet owner app

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #11948
    jerry
    Participant

    Hi,

    is it possible determine source/target app of catched packet(s)?
    Any sample? In .Net :]

    Thanks

    Jerry

    #11949
    Vadim Smirnov
    Keymaster

    Hi,

    The only sample which demonstrates process lookup (using IP Helper API) is Socksify, and it is in C++:

    https://github.com/wiresock/ndisapi/tree/master/examples/cpp/socksify

    However, it is not a big deal to integrate process_lookup.h into .NET C++/CLI mixed class library (ndisapi.net) and use it there.

    #11950
    jerry
    Participant

    Hi,

    thanks for quick answer!

    You show me direction, very appreciated.

    Integration anything to mentioned class is out of my skills, C++ is dark side :]

    Waiting for ndisapi.net upgrade ;]

    Jerry

    #11951
    Vadim Smirnov
    Keymaster

    The only thing you need is a couple of IPHELPER API functions, GetExtendedTcpTable and GetExtendedUdpTable. Then just match IP/port information against information extracted from the packet.

    If you need to do that in C# then here is the sample code https://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G

    #12011
    jerry
    Participant

    Hi,

    i’m little bit experimented with GetExtendedTcpTable / GetExtendedUdpTable. After decoding packet with PacketDotNet library, I check this packet in proper table. Working good, no performanece issue (tested with torrent client running :-).

    Two problems (now):

    Short livetime of endpoint in table  – solved with Event trace monitor and delaying remove endpoint from another endpoint table..

    But a huge number of packets are not found in table – probably correct endpoint is not created yet… And because torrent/web browser comms contains lot of “short” communications – 2-3 packets, I’m unable identify owning process. Solution with ETW doesnt wotk, because events has 2-3 sec delays…

    Any idea? Postpone these (all?) packets? 🙁

    My target is:
    – store statistic about apps comms
    – control this comms by user filter – simple “firewall”

    Thanks.

    Jerry

    #12012
    Vadim Smirnov
    Keymaster

    You should consider one thing about GetExtendedTcpTable / GetExtendedUdpTable. These functions return you only connections available to the application (more precisely, to the user running the application). It is not a problem if you run as a service under LocalSystem account, but if you execute it under standard user account, you won’t see processes from other users (and services).

    #12013
    jerry
    Participant

    I’m not sure with this…

    My app runs with admin privileges under standard account and I see endpoints for svchost (Local service/SYSTEM acc), Idle process, System process and so on…

    #12014
    jerry
    Participant

    sorry, my mistake – wrong  ip conversion to uint32.
    most of unidentified packets was with ip starting with 128 and higher…

    let’s go investigate rest of unidentified packets 🙂

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.