[jerry]

sorry, my mistake – wrong  ip conversion to uint32.
most of unidentified packets was with ip starting with 128 and higher…

let’s go investigate rest of unidentified packets 🙂

[jerry]

I’m not sure with this…

My app runs with admin privileges under standard account and I see endpoints for svchost (Local service/SYSTEM acc), Idle process, System process and so on…

[jerry]

Hi,

i’m little bit experimented with GetExtendedTcpTable / GetExtendedUdpTable. After decoding packet with PacketDotNet library, I check this packet in proper table. Working good, no performanece issue (tested with torrent client running :-).

Two problems (now):

Short livetime of endpoint in table  – solved with Event trace monitor and delaying remove endpoint from another endpoint table..

But a huge number of packets are not found in table – probably correct endpoint is not created yet… And because torrent/web browser comms contains lot of “short” communications – 2-3 packets, I’m unable identify owning process. Solution with ETW doesnt wotk, because events has 2-3 sec delays…

Any idea? Postpone these (all?) packets? 🙁

My target is:
– store statistic about apps comms
– control this comms by user filter – simple “firewall”

Thanks.

Jerry

[jerry]

Hi,

thanks for quick answer!

You show me direction, very appreciated.

Integration anything to mentioned class is out of my skills, C++ is dark side :]

Waiting for ndisapi.net upgrade ;]

Jerry

[Author]

Posts