24

I am not sure that this sort of question is appropriate here, so forgive me if I'm wrong.

Here is a problem: I want to see what a specific program is sending to the internet, but the thing is that on the computer there are lot's of applications and services which are using internet. So it is impossible to figure out what packets where sent by an app I am interested in.

One way is to try to close all other applications, but this is impossible.

So is there a way to isolate a specific application? I am working on windows7 and capturing packets with wireshark

yarl
  • 192
  • 1
  • 6
Salvador Dali
  • 925
  • 6
  • 19
  • 31

6 Answers6

16

Given that you are using Wireshark, your port numbers aren't automatically resolved to an application name, so you will need to do a little more to refine the information you are looking for. Every application using TCP/IP to communicate across a network will be using ports, so that the network stack knows where to deliver segments to (I like to call it an application address).

Clients connecting to a server application on a specific port will be dynamically allocated a port number from a dynamic range. So you first need to find out what TCP/UDP connections your application has open:

netstat -b

at the command line will give you a list of connections with the name of the executable that created the connection. Each executable has one or more connections listed as 127.0.0.1:xxxxx, where X is the local port number for the connection.

Now in wireshark, you need to tell it to display packets that originated from or are destined to that port by using one or more of the these filters:

tcp.port == xxxxx or udp.port == xxxxx

Add an additional or tcp.port == xxxxx for each connection you want to show.

This will allow you to see all the traffic for the connections your application has open and Wireshark will not include just raw TCP/UDP segments but it will include the various application layer protocols (eg. HTTP) that used those port numbers too.

If your application appears to be communicating with just one server, you could just use the IP address of that server to filter by:

ip.addr == x.x.x.x
john
  • 1,995
  • 1
  • 17
  • 30
  • The biggest problem with sockets (using unreserved ports) is that a socket being opened and closed by an application are very dynamic in nature. When you run netstat -b command it will give u different outcomes for every listed application even if u run it in interval of 5 seconds. So it is very difficult to notice all the port numbers which are getting allocated to my application. I was observing the same for my application in "TCPView" tool (sysInternals suite). I saw that in a span of 10 seconds roughly 15 TCP socket connections were opened by my application and many of them got killed also – RBT Mar 17 '16 at 09:56
  • 1
    This is where Microsoft Network Monitor comes in handy, because it can trace the process that the network communication originates from and groups it under that process. However, since this was written a new major version of Wireshark has been released. It may be the case that such a grouping is also possible using Wireshark, but I haven't used it in a while. – john Mar 20 '16 at 19:27
  • 1
    $ netstat -b `netstat: invalid option -- 'b'` – Aaron Franke Feb 21 '20 at 08:47
6

If you use Process Monitor from Microsoft, you can change the filters to show only network communications from specific processes. It doesn't give you the contents of the packets, but it does show what hosts the app is talking to.

longneck
  • 22,793
  • 4
  • 50
  • 84
0

Microsoft Network Monitor will show you the process responsible for the traffic flow.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
0

I found Microsoft Message Analyzer very useful for exact the same purpose. It allows to capture network traffic and aggregate it by process tree.

YaoLen
  • 9
  • 1
-1

Use System Internals Process Monitor to get the application process number and check out the other System Internal tools at:

https://docs.microsoft.com/en-us/sysinternals/

Open cmd.exe and run, show netstat command line options, netstat /? .

Now try netstat -bo 1 >> c:/test.log . This will allow you to find your specific applications network connection data in a continuously updated file.

Remember, you need to stop netstat -bo >> c:/test.log from writing to the log by entering a ctl-C in the cmd window.

jornane
  • 1,096
  • 1
  • 8
  • 25
-2

Just replace My_Application with your application's PNAME or PID

netstat --programs | grep "My_Application"

I don't test it on windows 7. but it works on Linux.