Ethereal-users: RE: [Ethereal-users] Discovering the process that generated a pac ket

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "DAIGLE, ANDREW PAUL" <ADAIG90@xxxxxxxxxxx>
Date: Wed, 11 Jan 2006 16:42:56 -0600

Afaik there is no way to configure Ethereal to associate a packet to a process. However, you should be able to determine the source by inference. Look at the packet's destination IP and destination port. Who does the destination IP belong to? Is the destination port a well-known port? If not, do a Google search and see if you can find an app that listens on that port? Is there any ASCII data in the packet that would help identify what it is requesting? If you suspect Steam, start a capture and launch the Steam client. Does it connect to the same destination IP/IP block/port as the packet in question?

 

If you can determine who/what the client is talking to, you should be able to determine what process on your machine is doing the talking.

 

Andrew

 

-----Original Message-----
From: secjunky [mailto:secjunky@xxxxxxxxx]
Sent: Wednesday, January 11, 2006 3:34 PM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Discovering the process that generated a packet

 

  Hello list, I've been looking for this for a while, but I can't seem to find anything. I would like to know if ethereal can tell me the actually process that sent the packet in question. Here's the scenario.
   I leave ethereal running overnight on all of my machines (slackware, winxp pro, winxp 64) to see what is talking to who. When I come back in the morning, as expected, my slack box was nice and tight-lipped. The XP pro w/ zone alarm was nice and quiet as well, but it was the XP64 that was the chatterbox. It turns out that my Steam account (from Valve software), would wake up in the middle of the night (after being closed) and talk to it's update server. This is actually my assumption, seeing as I cannot discern the process that sent the packet from the ethereal scan.

So this is my question, is there a way to configure ethereal to display the process that generated the packet in question? I know I could sit at the computer with TCPView or netstat running, but as I said, this is done overnight and I can't be at the computer all night (ie I need logging). I also know I could simply run the windows variant of the Linux command 'netstat -c' and compare times, but I think this would be tedious and a feature like this would be very useful in ethereal if it doesn't already exist.

I found this one the ethereal forum (http://www.ethereal.com/lists/ethereal-dev/200110/msg00129.html), but it is very old and is far beyond my menial coding experience. Does anyone have any suggestions or patches for ethereal that I could use? Thanks in advance