WinPacketFilter – determine packet owner app

Home Forums Discussions General Discussion WinPacketFilter – determine packet owner app

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #11948
    jerry
    Participant

      Hi,

      is it possible determine source/target app of catched packet(s)?
      Any sample? In .Net :]

      Thanks

      Jerry

      #11949
      Vadim Smirnov
      Keymaster

        Hi,

        The only sample which demonstrates process lookup (using IP Helper API) is Socksify, and it is in C++:

        https://github.com/wiresock/ndisapi/tree/master/examples/cpp/socksify

        However, it is not a big deal to integrate process_lookup.h into .NET C++/CLI mixed class library (ndisapi.net) and use it there.

        #11950
        jerry
        Participant

          Hi,

          thanks for quick answer!

          You show me direction, very appreciated.

          Integration anything to mentioned class is out of my skills, C++ is dark side :]

          Waiting for ndisapi.net upgrade ;]

          Jerry

          #11951
          Vadim Smirnov
          Keymaster

            The only thing you need is a couple of IPHELPER API functions, GetExtendedTcpTable and GetExtendedUdpTable. Then just match IP/port information against information extracted from the packet.

            If you need to do that in C# then here is the sample code https://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G

            #12011
            jerry
            Participant

              Hi,

              i’m little bit experimented with GetExtendedTcpTable / GetExtendedUdpTable. After decoding packet with PacketDotNet library, I check this packet in proper table. Working good, no performanece issue (tested with torrent client running :-).

              Two problems (now):

              Short livetime of endpoint in table  – solved with Event trace monitor and delaying remove endpoint from another endpoint table..

              But a huge number of packets are not found in table – probably correct endpoint is not created yet… And because torrent/web browser comms contains lot of “short” communications – 2-3 packets, I’m unable identify owning process. Solution with ETW doesnt wotk, because events has 2-3 sec delays…

              Any idea? Postpone these (all?) packets? 🙁

              My target is:
              – store statistic about apps comms
              – control this comms by user filter – simple “firewall”

              Thanks.

              Jerry

              #12012
              Vadim Smirnov
              Keymaster

                You should consider one thing about GetExtendedTcpTable / GetExtendedUdpTable. These functions return you only connections available to the application (more precisely, to the user running the application). It is not a problem if you run as a service under LocalSystem account, but if you execute it under standard user account, you won’t see processes from other users (and services).

                #12013
                jerry
                Participant

                  I’m not sure with this…

                  My app runs with admin privileges under standard account and I see endpoints for svchost (Local service/SYSTEM acc), Idle process, System process and so on…

                  #12014
                  jerry
                  Participant

                    sorry, my mistake – wrong  ip conversion to uint32.
                    most of unidentified packets was with ip starting with 128 and higher…

                    let’s go investigate rest of unidentified packets 🙂

                  Viewing 8 posts - 1 through 8 (of 8 total)
                  • You must be logged in to reply to this topic.