On 10 July 2010 22:26, Guy Harris <[email protected]> wrote: > >> 2) Re "do it by looking up remote IP address/port/protocol information in >> the OS's table of sockets to see what process, if any, has that socket" - do >> I assume by this you mean access the above-mentioned MIBs via use of the >> above-mentioned IP Helper Functions? I can't see from the doco how these >> tables would be used to obtain per application/process network usage figures? > > I wasn't saying you'd use that to obtain per-process or per-applicaiton > network usage figures. > > I was saying that you'd use that to associate particular packets with the > processes that probably sent or received those processes, and compute the > statistics yourself based on that. That's probably what Network Monitor does > to give you statistics like that.
How's this as a best guess to how one would do the correlation? (haven't coded it to try yet) * From the packet captured, get the source & destination IP address and TCP ports * Iterate through the rows from IP Helper "GetTcpTable" until you find a match for all 4 (four) source & destination IP address and ports numbers Any comments re whether this would be the most robust way to do the correlation? I'm guessin gthat you'd have to be doing the correlation in real time to ensure the TcpTable entry didn't drop away? _______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
