Home › Forums › Discussions › General › WinPacketFilter – determine packet owner app
Tagged: Windows packet filter
- This topic has 7 replies, 2 voices, and was last updated 2 years, 11 months ago by jerry.
-
AuthorPosts
-
November 30, 2021 at 11:55 am #11948
Hi,
is it possible determine source/target app of catched packet(s)?
Any sample? In .Net :]Thanks
Jerry
November 30, 2021 at 12:18 pm #11949Hi,
The only sample which demonstrates process lookup (using IP Helper API) is Socksify, and it is in C++:
https://github.com/wiresock/ndisapi/tree/master/examples/cpp/socksify
However, it is not a big deal to integrate process_lookup.h into .NET C++/CLI mixed class library (ndisapi.net) and use it there.
November 30, 2021 at 3:22 pm #11950Hi,
thanks for quick answer!
You show me direction, very appreciated.
Integration anything to mentioned class is out of my skills, C++ is dark side :]
Waiting for ndisapi.net upgrade ;]
Jerry
November 30, 2021 at 3:49 pm #11951The only thing you need is a couple of IPHELPER API functions, GetExtendedTcpTable and GetExtendedUdpTable. Then just match IP/port information against information extracted from the packet.
If you need to do that in C# then here is the sample code https://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G
December 25, 2021 at 4:07 pm #12011Hi,
i’m little bit experimented with GetExtendedTcpTable / GetExtendedUdpTable. After decoding packet with PacketDotNet library, I check this packet in proper table. Working good, no performanece issue (tested with torrent client running :-).
Two problems (now):
Short livetime of endpoint in table – solved with Event trace monitor and delaying remove endpoint from another endpoint table..
But a huge number of packets are not found in table – probably correct endpoint is not created yet… And because torrent/web browser comms contains lot of “short” communications – 2-3 packets, I’m unable identify owning process. Solution with ETW doesnt wotk, because events has 2-3 sec delays…
Any idea? Postpone these (all?) packets? 🙁
My target is:
– store statistic about apps comms
– control this comms by user filter – simple “firewall”Thanks.
Jerry
December 25, 2021 at 8:54 pm #12012You should consider one thing about GetExtendedTcpTable / GetExtendedUdpTable. These functions return you only connections available to the application (more precisely, to the user running the application). It is not a problem if you run as a service under LocalSystem account, but if you execute it under standard user account, you won’t see processes from other users (and services).
December 26, 2021 at 10:04 am #12013I’m not sure with this…
My app runs with admin privileges under standard account and I see endpoints for svchost (Local service/SYSTEM acc), Idle process, System process and so on…
December 26, 2021 at 10:36 am #12014sorry, my mistake – wrong ip conversion to uint32.
most of unidentified packets was with ip starting with 128 and higher…let’s go investigate rest of unidentified packets 🙂
-
AuthorPosts
- You must be logged in to reply to this topic.