no problem. i think your procmon problem might be solved if you use carbon black. i remember the outputs contain unresolved ip addresses, port number, and protocol(tcp/udp). it has a 30 day free trial.
On Wed, Mar 13, 2013 at 2:51 PM, Sherif El-Deeb <[email protected]>wrote: > - So far the closest thing to what I am looking for is Microsoft > Network Monitor "Thank you Carlos!", it tries its best to figure out > the application name ... tries its best, but it is NOT accurate due to > the way the developers decided to achieve this feature "take snapshot > of network connections on specific time intervals", this will lead to > missing short-lived processes/connections, please read this post if > you are interested in the details: > > http://social.technet.microsoft.com/Forums/en-US/netmon/thread/aa1d0602-edbf-4679-a090-67d6d6fd04ee > > If we are fine with that, we can create a list of running processes > then do something like (for each running process) do (nmcap /network * > /capture "Conversation.ProcessName == 'ProcessName.exe'" /File > D:\ProcessName.cap /CaptureProcesses") and call it a day. > > Thank you Carlos, yet again. > > - When Allison mentioned Carbon Black and procmon ... it suddenly came > to me, there's no need to do it "live", my (alternative) approach will > be as follows: > * Capture ALL traffic using dumpcap/tshark "nothing will be ever missed" > * Record all network activity using procmon "nothing will be ever missed" > * export procmon log as CSV > * parse CSV file, get unique process names, ports, hosts, timestamps > ...etc. per process > * Use tshark to read the full PCAP then create a new file using a "-R" > filter prepared with some CLKF using the parsed info from the CSV file > and since both procmon and tshark are running on the same box, there > should be no discrepancies between timestamps "right?" > > The proplem(s) I currently have are the following: > - I can't find a way to make ProcMon *NOT* resolve IP addresses and > ports to services "443->HTTPS" (!) > - I can't find a way to make ProcMon export date AND time ... not > only time. "that's more of an annoyance than a problem" > > Thank you guys "+ Allison Nixon", If I reached something mature enough > will ping the list with the update. > Best regards, > Sherif. > > On Tue, Mar 12, 2013 at 8:22 PM, Sandro Gauci <[email protected]> > wrote: > > On OSX, Little Snitch (commercial desktop firewall) can dump pcaps for > > selected processes. Only tried it once myself (and I'm not an active > little > > snitch user) but it seems pretty cool and similar to what you're asking > for: > > > > > http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/ > > > > > > Sandro Gauci > > Penetration tester and security researcher > > Email: [email protected] > > Web: http://enablesecurity.com/ > > PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C > > > > > > On Tue, Mar 12, 2013 at 1:28 PM, Jim Halfpenny <[email protected]> > > wrote: > >> > >> Hi, > >> Slightly off topic but a useful feature of iptables on Linux is the > >> ability to filter traffic by user. The link below gives an example of > how to > >> block traffic for a particular user. > >> > >> > >> > http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html > >> > >> Another great option is --tee which can copy traffic based on whatever > >> rules you apply. > >> > >> > >> > http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ > >> > >> So if you wanted to record on a per-user basis on Linux (useful for > >> service/daemon users) you could user ipt_user and tee functions to > mirror > >> that traffic and tcpdump it out there or just use ipt_user to log > flows. Not > >> entirely relevant but I hope it's useful. > >> > >> Regards, > >> Jim > >> > >> On 12 March 2013 11:54, Hans Kokx <[email protected]> wrote: > >>> > >>> > If you add the p parameter to netstat it gives you the process id > >>> > associated with the connection. > >>> > >>> In Linux, yeah. Mac doesn't support -p though. :( > >>> > >>> -- > >>> Hans Kokx > >>> > >>> On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote: > >>> > >>> > >>> On Mar 12, 2013 4:20 AM, "Hans Kokx" <[email protected]> wrote: > >>> > > >>> > This sounded like an interesting challenge, so I whipped something > >>> > together that seems to work. Maybe it's what you're looking for, or > maybe > >>> > not. > >>> > > >>> > So, the idea I came up with is relatively simple: each process is > going > >>> > to open an ephemeral port to connect to the known port of the > service. > >>> > Let's take, for example, a simple SOCKS5 proxy I've tossed together > over > >>> > SSH: > >>> > > >>> > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & > >>> > > >>> > I typically use this everywhere that's not at home, and push ALL my > >>> > traffic through it. Hey, security. > >>> > > >>> > Anywho, on my mac, I was able to find the ephemeral port that it was > >>> > using: > >>> > > >>> > $ netstat -ntl|grep 192.168.1.5|grep 22 > >>> > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 > >>> > ESTABLISHED > >>> > > >>> > Now we've got an ephemeral port to work with. Some clever awk- and > >>> > sed- foo and you can grab JUST that port. > >>> > > >>> > Capturing the traffic is simple enough…. > >>> > > >>> > $ tcpdump src port 61697 > >>> > > >>> > So, we've got the traffic for this individual socket, but who does it > >>> > belong to? > >>> > > >>> > $ sudo lsof -i 4tcp:61697 > >>> > Password: > >>> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > >>> > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP > >>> > 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) > >>> > > >>> > There's your pid and process name. > >>> > >>> If you add the p parameter to netstat it gives you the process id > >>> associated with the connection. > >>> > >>> Robin > >>> > >>> > This was fun. Thanks for the challenge. :) > >>> > -- > >>> > Hans Kokx > >>> > > >>> > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: > >>> >> > >>> >> I have been trying to figure out a way to "capture/filter" network > >>> >> traffic per process, not per host/interface in a windows environment > >>> >> "even though I'd be curious to know how that could be done in > *n?x/OS > >>> >> X" . > >>> >> > >>> >> What I want to achieve is create a PCAP file for each process id > that > >>> >> was executed and communicated over the network. > >>> >> > >>> >> help, please. > >>> >> Thanks and regards, > >>> >> > >>> >> Sherif. > >>> >> _______________________________________________ > >>> >> Pauldotcom mailing list > >>> >> [email protected] > >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> >> Main Web Site: http://pauldotcom.com > >>> > > >>> > > >>> > > >>> > _______________________________________________ > >>> > Pauldotcom mailing list > >>> > [email protected] > >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> > Main Web Site: http://pauldotcom.com > >>> > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >>> > >>> > >>> > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >> > >> > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
