Wireshark-users: Re: [Wireshark-users] Tons of ARP packets...?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 13 Jul 2007 17:19:16 -0700

On Jul 13, 2007, at 4:21 PM, Small, James wrote:

Dooh!  That's a major bummer.  Perhaps Zone Alarm then?

	http://www.winpcap.org/misc/faq.htm#Q-10

"Q-10: Does WinPcap work in connection with personal firewalls?

A: We got several reports saying that WinPcap does not work well if a personal firewall is installed on the same machine as WinPcap. The typical problem is the impossibility to capture all or part of the traffic from an adapter, but some users reported strange behaviors (like some packets disappearing) on the transmit side too. Most of the times, the problem is caused by non-standard interactions between the firewall and the network stack of the OS, so there not a lot to do on our side; the suggested remedy consists in uninstalling the firewall. Note: uninstalling, and not disabling, because some firewalls (like ZoneAlarm) keep having strange behaviors even when they are disabled."

	http://www.winpcap.org/pipermail/winpcap-users/2005-August/000266.html

"Dear WinPcap-users,

As I wrote in my original posting, I disabled the SP2 firewall and other security tools before playing around with raw packets. Unfortunately, my ZoneAlarm firewall kept checking/dropping despite being disabled. Thus, below send/receive problem was gone as soon as ZoneAlarm was completely uninstalled :-)

Apparently, ZoneAlarm has a NDIS intermediate driver, which is alive all the time, even when set to state disabled... While browsing the ZoneAlarm forums, I noticed similar complaints. E.g. the "ZA interference even with everything is disabled" topic by clarke on 02-28-2005.

Thanks to the guys that took the time to help me out!
 Tom."

How about this for a wish item - the ability to filter and/or identify
network traffic by process name/ID.  Based on what I've seen from the
Sysinternals tools I believe it may be possible.  What do you think?

It might be possible in some cases on some platforms. Not all traffic received is going to a particular process, especially if you're capturing in promiscuous mode; unless the traffic is being received by a particular endpoint on the machine, or being sent by the machine, you can't associate it with a particular process.

That might help identify the source of the DNS traffic. However, running Wireshark along with TCPView:

	http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

might be sufficient in that case - look for the process with a UDP endpoint with the same local and remote addresses and ports as the DNS requests.

(Its output resembles that of netstat, probably intentionally. I don't know whether any UN*Xes have tools such as that, i.e. either a command-line or graphical netstat-plus-process-name - probably some do.)