Is it possible to find which appliction sends what packets?

Hi guys
Imagine that I've written a packet sniffer to scan my network activity as Data mining purpose.

I'm curious is it possible to find out the application names too ? so that I can add the name in my database :)..

Thanks in advance

Each program that sends packets more then likely has a predefined structure, so you could read first few bytes of packet and get most likely program.

Also if you check the port that could be more helpful as there uassly unique.

Another would be check destination ip. Have a list you check against(somthing like this).

PortUsed,DestIp:NameOfProgram

Read in whole file when app starts. Use , as delimiter and read in vars to check against and : to read in name of app. There is nice containers you could use to link vars to name. Or just recursively search each line till match found or EOF.

Hi,

Use GetTcpTable() function it will do the job you need.

GL
I don't know how this function alone will get you the EXE file which send/receive data on the network.

There is an undocumented way by using AllocateAndGetTcpExTableFromStack() and AllocateAndGetUdpExTableFromStack() from IpHelperApi whose prototypes are:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
typedef struct _MIB_TCPTABLE_EX
{
DWORD dwNumEntries;
MIB_TCPROW_EX table[ANY_SIZE];
} MIB_TCPTABLE_EX, *PMIB_TCPTABLE_EX;    

typedef struct _MIB_TCPROW_EX{
DWORD dwState; 
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
DWORD dwProcessId;
} MIB_TCPROW_EX, *PMIB_TCPROW_EX;

AllocateAndGetTcpExTableFromStack(PMIB_TCPTABLE_EX*,
   BOOL,HANDLE,DWORD,DWORD);
        


Source:
http://www.codeproject.com/Articles/4298/Getting-active-TCP-UDP-connections-on-a-box


Once you have the PID is a piece of cake to use QueryFullProcessImageName() to get actual executable name.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684919(v=vs.85).aspx
Last edited on
Topic archived. No new replies allowed.