1

I need to get process name that's trying to access external IPs. These processess can be malware or updates, they are short lived so netstat or resource monitor can not be used. I've tried MS Message Analyzer but I get bad results (Idle process is listed the most). Is there other tool or procedure that I could try?

I followed this article to configure Message Analizer.

This is output of netmon:

  • All Traffic
    • My Traffic
  • Unavailable (3020)
  • Unavailable (1788)
  • taskhost.exe (704)
  • Unavailable (600) +
  • Unavailable (3048)
  • Unavailable (360)
    • IPv4 (xx.xx.xx.xx - 23.0.174.16) ConvID = 162
    • IPv4 (xx.xx.xx.xx - 23.0.174.8) ConvID = 166
    • IPv4 (xx.xx.xx.xx - 23.0.174.19) ConvID = 171
    • IPv4 (xx.xx.xx.xx - 23.0.174.27) ConvID = 175
    • IPv4 (xx.xx.xx.xx - 23.0.174.35) ConvID = 181
    • IPv4 (xx.xx.xx.xx - 5.22.191.202) ConvID = 195
    • IPv4 (xx.xx.xx.xx - 5.22.191.201) ConvID = 199
    • IPv4 (xx.xx.xx.xx - 5.22.191.233) ConvID = 203
    • IPv4 (xx.xx.xx.xx - 5.22.191.227) ConvID = 207
    • IPv4 (xx.xx.xx.xx - 5.22.191.217) ConvID = 211
    • IPv4 (xx.xx.xx.xx - 193.77.14.137) ConvID = 232
    • IPv4 (xx.xx.xx.xx - 193.77.14.171) ConvID = 236

I don't get this in Resource monitor. These IP's are strange, I do not surf on server during monitoring.

malibeg
  • 125
  • 6

1 Answers1

1

You can use Process Monitor (procmon) for this. Download link: https://technet.microsoft.com/en-gb/sysinternals/bb896645

Once you open it, set some filters for network only stuff. If you have multiple network interfaces, you could use these:

Operation | is | TCP Send | then Include

Operation | is | UDP Send | then Include

Path | contains | 127.0.0.1 | then Exclude

(I'm assuming you don't care about accessing the loopback address)

If you have only one network interface, or only one you care about, you can set the filter to:

Path | begins with | x.x.x.x | then include

Where x.x.x.x is the local interface's IP address.

You can filter it further from here, by excluding known good processes, or excluding DNS request packets/acks/etc. You can let it run for as long as you want, but keep an eye on memory usage. By default, it'll keep 199 million events in the loop and you may want to turn this up or down. At the end of the day, you can browse the list manually, or go to Tools -> Network Summary and filter by individual IP addresses.

Neil
  • 842
  • 6
  • 13
  • Currently I am testing netmon and Resource Monitor. It seams that these processes are active only for short period of time and Resource Monitor doesn't cach them. E.g. in netmon I have TCP:Flags=......S., SrcPort=49480, DstPort=HTTP(80), PayloadLen=0, Seq=879251944, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 – malibeg Dec 02 '15 at 15:11
  • Did you try procmon? Procmon logs/keeps everything. I tested it before I posted my answer to make sure it still behaves the way I thought it did. – Neil Dec 02 '15 at 18:47
  • It is excelent, I'm trying to monitor port 80 (internet is over proxy port 8080) and on my win 7 I get telnet process if I try to telnet google.com 80 but on win 2008 r2 server this is not the case? – malibeg Dec 03 '15 at 15:03
  • That's very strange. Any chance it's going out an adapter different from the one you're watching? What user context are you running Procmon in on the server? Same question for the telnet request. – Neil Dec 05 '15 at 14:34