Which process sent the UDP packet?

Tagged: 

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • July 22, 2019 at 1:04 pm #11030
    sommainc
    Participant

      I want to know which process sent the UDP packet.

      I saw a comment on https://www.ntkernel.com/forums/topic/cget-the-process-a-packet-was-sent-by/. In case of TCP, local <-> remote information can be retrieved through the extended table, but in case of UDP (as far as I know), can get only UDP binding information.

      When sending UDP packets from local to remote, is there any way to know which process sent the packet?

      July 22, 2019 at 4:54 pm #11031
      Vadim Smirnov
      Keymaster

        You can use GetExtendedUdpTable to find the dwLocalAddr:dwLocalPort to dwOwningPid association and then if necessary call GetOwnerModuleFromUdpEntry with TCPIP_OWNER_MODULE_INFO_BASIC to obtain pModuleName and pModulePath.

        July 22, 2019 at 5:53 pm #11032
        sommainc
        Participant

          According to MSDN and my own test, the information that we can get from MIB_UDPTABLE_OWNER_MODULE or MIB_UDPTABLE_OWNER_PID (We can get those by GetExtendedUdpTable(..., UDP_TABLE_OWNER_MODULE, ...)) is only UDP listener process’s information.

          https://docs.microsoft.com/en-us/windows/win32/api/udpmib/ns-udpmib-_mib_udptable_owner_pid

          >> The MIB_UDPTABLE_OWNER_PID structure contains the User Datagram Protocol (UDP) listener table for IPv4 on the local computer. The table also includes the process ID (PID) that issued the call to the bind function for each UDP endpoint.

          But I need process information that called UDP sendto(). Is there anything that I know wrong?

          thanks.

          July 22, 2019 at 9:33 pm #11033
          Vadim Smirnov
          Keymaster

            Although sendto() can be called on unbound socket according MSDN “If the socket is unbound, unique values are assigned to the local association by the system, and the socket is then marked as bound”. So, I suspect that this is equivalent to calling bind explicitly. However, worth to test to ensure.

            July 23, 2019 at 10:28 am #11034
            sommainc
            Participant

              Leaving this comment for records.

              Even if you do not explicitly call the bind () function, windows binds the local port dynamically as described in MSDN, so you can find the information in the UDP extended table.

              ref: https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-sendto

              In previous tests, it was a simple coding mistake that we could not get a PID.
              thanks for your help, Vadim Smirnov 🙂

            • Author
              Posts
            Viewing 5 posts - 1 through 5 (of 5 total)
            • You must be logged in to reply to this topic.