-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capture Packets By Process Id #147
Comments
@hammad2224 it may be possible to see what process is on a given port if you run as a privileged process, then you could map back using that info and the port a given packet was transferring on. I'm not sure how it goes back into the capture file though. You might want to check to see if the npcap sdk provides any of that process info. |
yahhh i was thinking that if we netstat and get the opened ports by process id and when capturring the packets set the processId property in the packet at the time of capture. and que the captures we need to analyze. or at the time of capturing we could do netstat and include any of the data received by setting the process id. i will write down the function and show you may be you can include that in the source. |
@hammad2224 In addition to @chmorgan solution, you could also use the |
@kayoub5 The filter token 'processId' as listed https://reqrypt.org/windivert-doc.html is only supported in WinDivert version 2.2. But even when this exact version of the WinDivert dll and driver is used, SharpPCap gives a |
@globalpolicy sample code? |
@kayoub5 https://pastebin.com/BXR0jeTx |
You need to change |
I tried doing that but it still gives me the same exception. |
Would you guys be interested if I looked into implementing this? 🤔 |
After some digging I found that WinDivert can either:
Having a lookup table that record socket events, and cache a mapping table between endpoint and process id has to be done in an extra class. The initial values for the table could be filled using All this is nice and possible, but those are Windows only drivers/APIs. @AlmightyLks I can't say for sure if your solution will be accepted or not without even seeing it. |
@kayoub5 I looked more into this last night and I'd say that this would suit more into PacketNet, as it requires getting the port which needs to be parsed from the byte data. I guess this would belong into the TcpPacket class then 😄 |
As you are thinking about manually mapping the tcp connection tables from the winapi, .NET actually already has a class and an appropriate method for it. That the System.Net,* devs did mark this to be unsupported for android, but didn't mark it for linux/unix and continue to keep it fully available up to .NET 6 should mean that it is cross-platform. I'll do some more digging via source.dot.net later |
I am aware of that API, unfortunately it does not provide process id. |
I just noticed! 😄 |
TLDR; Alright. After days of research and prototyping, I've looked into it in depth. For Linux I have to open and read the /proc/net/tcp file and then iterate through and fetch all sub directories of /proc/N/fd where N is practically sequential and can possibly range from 1 to 2147483647, if not even 4294967295, to find a file named socket[Y] where Y is the socket INode gathered from the info fetched from /proc/net/tcp, meaning I need to fetch all file names, parse the file name to get the INode from socket[Y] and match the port from /proc/net/tcp and the process id by parsing the directory name /proc/N/fd, so I can combine the two via the inode id.
An example program which continuously sends data through a tcp connection, taking up port 8000 (An example target what I am looking for)
Getting my example program's process id (3793) to simulate and skip the process of scanning through all
This is very very inefficient from Linux's side and can't be tolerated, as it is pure bruteforcing and trial & error'ing access violations, as well as a horrible iterative approach. |
@AlmightyLks I know this may seem inefficient, but why not just use |
@kayoub5 Interesting point. Could you provide a CLI-example to fetch the info filtered by a given inode, so I could mess with it? |
Syntax:
It could be slow (due to creating a new child process), but it is accurate and simple. |
@AlmightyLks did you get any luck? |
Didn't have the time to look into it yet, but this is also unsuiting imo, especially as this - again - is going to be very unperformant I also will be away for a while due to personal reasons, so no time to check up on it now |
As this is the feature lack by most network monitoring tools.
is it possible to add a feature where we capture the traffic by process id.
and then create a wincap file to perform the analysis in wireshark?
If that can be done then it would be great
Thanks for this excellent work.
Regards,
Hammad
The text was updated successfully, but these errors were encountered: