- So far the closest thing to what I am looking for is Microsoft Network Monitor "Thank you Carlos!", it tries its best to figure out the application name ... tries its best, but it is NOT accurate due to the way the developers decided to achieve this feature "take snapshot of network connections on specific time intervals", this will lead to missing short-lived processes/connections, please read this post if you are interested in the details: http://social.technet.microsoft.com/Forums/en-US/netmon/thread/aa1d0602-edbf-4679-a090-67d6d6fd04ee
If we are fine with that, we can create a list of running processes then do something like (for each running process) do (nmcap /network * /capture "Conversation.ProcessName == 'ProcessName.exe'" /File D:\ProcessName.cap /CaptureProcesses") and call it a day. Thank you Carlos, yet again. - When Allison mentioned Carbon Black and procmon ... it suddenly came to me, there's no need to do it "live", my (alternative) approach will be as follows: * Capture ALL traffic using dumpcap/tshark "nothing will be ever missed" * Record all network activity using procmon "nothing will be ever missed" * export procmon log as CSV * parse CSV file, get unique process names, ports, hosts, timestamps ...etc. per process * Use tshark to read the full PCAP then create a new file using a "-R" filter prepared with some CLKF using the parsed info from the CSV file and since both procmon and tshark are running on the same box, there should be no discrepancies between timestamps "right?" The proplem(s) I currently have are the following: - I can't find a way to make ProcMon *NOT* resolve IP addresses and ports to services "443->HTTPS" (!) - I can't find a way to make ProcMon export date AND time ... not only time. "that's more of an annoyance than a problem" Thank you guys "+ Allison Nixon", If I reached something mature enough will ping the list with the update. Best regards, Sherif. On Tue, Mar 12, 2013 at 8:22 PM, Sandro Gauci <[email protected]> wrote: > On OSX, Little Snitch (commercial desktop firewall) can dump pcaps for > selected processes. Only tried it once myself (and I'm not an active little > snitch user) but it seems pretty cool and similar to what you're asking for: > > http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/ > > > Sandro Gauci > Penetration tester and security researcher > Email: [email protected] > Web: http://enablesecurity.com/ > PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C > > > On Tue, Mar 12, 2013 at 1:28 PM, Jim Halfpenny <[email protected]> > wrote: >> >> Hi, >> Slightly off topic but a useful feature of iptables on Linux is the >> ability to filter traffic by user. The link below gives an example of how to >> block traffic for a particular user. >> >> >> http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html >> >> Another great option is --tee which can copy traffic based on whatever >> rules you apply. >> >> >> http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ >> >> So if you wanted to record on a per-user basis on Linux (useful for >> service/daemon users) you could user ipt_user and tee functions to mirror >> that traffic and tcpdump it out there or just use ipt_user to log flows. Not >> entirely relevant but I hope it's useful. >> >> Regards, >> Jim >> >> On 12 March 2013 11:54, Hans Kokx <[email protected]> wrote: >>> >>> > If you add the p parameter to netstat it gives you the process id >>> > associated with the connection. >>> >>> In Linux, yeah. Mac doesn't support -p though. :( >>> >>> -- >>> Hans Kokx >>> >>> On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote: >>> >>> >>> On Mar 12, 2013 4:20 AM, "Hans Kokx" <[email protected]> wrote: >>> > >>> > This sounded like an interesting challenge, so I whipped something >>> > together that seems to work. Maybe it's what you're looking for, or maybe >>> > not. >>> > >>> > So, the idea I came up with is relatively simple: each process is going >>> > to open an ephemeral port to connect to the known port of the service. >>> > Let's take, for example, a simple SOCKS5 proxy I've tossed together over >>> > SSH: >>> > >>> > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & >>> > >>> > I typically use this everywhere that's not at home, and push ALL my >>> > traffic through it. Hey, security. >>> > >>> > Anywho, on my mac, I was able to find the ephemeral port that it was >>> > using: >>> > >>> > $ netstat -ntl|grep 192.168.1.5|grep 22 >>> > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 >>> > ESTABLISHED >>> > >>> > Now we've got an ephemeral port to work with. Some clever awk- and >>> > sed- foo and you can grab JUST that port. >>> > >>> > Capturing the traffic is simple enough…. >>> > >>> > $ tcpdump src port 61697 >>> > >>> > So, we've got the traffic for this individual socket, but who does it >>> > belong to? >>> > >>> > $ sudo lsof -i 4tcp:61697 >>> > Password: >>> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP >>> > 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) >>> > >>> > There's your pid and process name. >>> >>> If you add the p parameter to netstat it gives you the process id >>> associated with the connection. >>> >>> Robin >>> >>> > This was fun. Thanks for the challenge. :) >>> > -- >>> > Hans Kokx >>> > >>> > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: >>> >> >>> >> I have been trying to figure out a way to "capture/filter" network >>> >> traffic per process, not per host/interface in a windows environment >>> >> "even though I'd be curious to know how that could be done in *n?x/OS >>> >> X" . >>> >> >>> >> What I want to achieve is create a PCAP file for each process id that >>> >> was executed and communicated over the network. >>> >> >>> >> help, please. >>> >> Thanks and regards, >>> >> >>> >> Sherif. >>> >> _______________________________________________ >>> >> Pauldotcom mailing list >>> >> [email protected] >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >> Main Web Site: http://pauldotcom.com >>> > >>> > >>> > >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
