Wireshark-users: Re: [Wireshark-users] Filter by application?

From: "Martin Visser" <martinvisser99@xxxxxxxxx>
Date: Fri, 14 Nov 2008 11:56:55 +1100
Ok, so that is a different question.

Wireshark is a network tool, so it only sees what is happening on the network. It has no knowledge of what process created (or in fact is receiving ) the packets that it sees. To know what an application (or process specifically) is sending or listening too, you need to have access to the network related hooks that the process has within the host operating system. A process will use system calls to register interest in sending or receiving traffic on particular network ports (usually UDP or TCP ports, but there are other protocols). Each operating system has a table for recording that interest. The most generic way of seeing that table (at least on Windows and UNIX-like systems) is the "netstat" command. I suggest your research that command for windows. Just remember that every time you run netstat you only have snaphost of the current state. The only way to see each and every network-related system call for a process is to effectively use some debugging hooks. I *think* that the most specific tool that does this for windows is TCPView from Microsoft (formerly Sysinternals). What this will tell you is what TCP and UDP ports you should be interested in filtering on in Wireshark. Be aware that in most cases however when processes initiate connections that they use effectively a random (non-predictable) source port. This source port might change for each transaction, depending on how long the connection is being held open. For instance if outlook send 10 mails over 10 minutes to your mail server, it may well use a new source port each time, making it difficult to define a filter to just capture that traffic. In that case you would normally need to determine the destination server that outlook is always connecting to and possibly the destination port (and for this example the display filter would maybe look something like "ip.addr==1.2.3.4 and tcp.port==25" where 1.2.3.4 is the address of the SMTP server Outlook is connecting to. So in fact to filter traffic for Outlook realistically you need to know what it is connecting to. Of course if you have *two* mail clients on your PC say  Outlook and Thunderbird with the same SMTP server configured it makes it a lot more difficult to identify and discriminate traffic from each of the client applications. In that case you might actually need to know a bit about the protocol, SMTP, and know that each of these apps uses slightly different signalling (specifically SMTP headers) that helps you. Of course SMTP is only one protocol that Outlook uses - I'll leave it as an exercise for the reader to determine what they all are. So while your question is valid it is actually not all that easy to solve!

Hope that helps, Martin

On Fri, Nov 14, 2008 at 8:22 AM, Golitsis, John <John.Golitsis@xxxxxxx> wrote:

Thank you for your reply.  In this particular case, I don't really care what the protocol is, I care only what application generated it.  For example, I want to see all the traffic coming from or going to Outlook Express.

 

If Wireshark can't do this, any recommendations on software that can?  (Shareware/Freeware)

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Visser
Sent: November 13, 2008 3:39 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Filter by application?

 

In general you just use the display filters. The application protocols that wireshark knows about are available by clicking on the "_expression_" label. Of course you definition of application may differ from how wireshark defines it as it really sees things in terms of protocols that apps.

Can be more explicit at what you are after?

On Fri, Nov 14, 2008 at 4:27 AM, Golitsis, John <John.Golitsis@xxxxxxx> wrote:

Hi all.  I'm trying to capture all the traffic generated by a specific application and can't seem to figure out a way to filter this.  Any help would be most appreciated!

 

 


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users




--
Regards, Martin

MartinVisser99@xxxxxxxxx


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users




--
Regards, Martin

MartinVisser99@xxxxxxxxx