Thanks much for taking the time to write
such a detailed reply! I downloaded Microsoft’s latest Network Monitor and
that had exactly what I was looking for.
From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Visser
Sent: November 13, 2008 7:57 PM
To: Community
support list for Wireshark
Subject: Re: [Wireshark-users]
Filter by application?
Ok, so that is a
different question.
Wireshark is a network tool, so it only sees what is happening on the network.
It has no knowledge of what process created (or in fact is receiving ) the
packets that it sees. To know what an application (or process specifically) is
sending or listening too, you need to have access to the network related hooks
that the process has within the host operating system. A process will use
system calls to register interest in sending or receiving traffic on particular
network ports (usually UDP or TCP ports, but there are other protocols). Each
operating system has a table for recording that interest. The most generic way
of seeing that table (at least on Windows and UNIX-like systems) is the
"netstat" command. I suggest your research that command for windows.
Just remember that every time you run netstat you only have snaphost of the
current state. The only way to see each and every network-related system call
for a process is to effectively use some debugging hooks. I *think* that the
most specific tool that does this for windows is TCPView from Microsoft
(formerly Sysinternals). What this will tell you is what TCP and UDP ports you
should be interested in filtering on in Wireshark. Be aware that in most cases
however when processes initiate connections that they use effectively a random
(non-predictable) source port. This source port might change for each
transaction, depending on how long the connection is being held open. For
instance if outlook send 10 mails over 10 minutes to your mail server, it may
well use a new source port each time, making it difficult to define a filter to
just capture that traffic. In that case you would normally need to determine
the destination server that outlook is always connecting to and possibly the
destination port (and for this example the display filter would maybe look
something like "ip.addr==1.2.3.4 and
tcp.port==25" where 1.2.3.4 is the address of
the SMTP server Outlook is connecting to. So in fact to filter traffic for
Outlook realistically you need to know what it is connecting to. Of course if
you have *two* mail clients on your PC say Outlook and Thunderbird with
the same SMTP server configured it makes it a lot more difficult to identify
and discriminate traffic from each of the client applications. In that case you
might actually need to know a bit about the protocol, SMTP, and know that each
of these apps uses slightly different signalling (specifically SMTP headers)
that helps you. Of course SMTP is only one protocol that Outlook uses - I'll
leave it as an exercise for the reader to determine what they all are. So while
your question is valid it is actually not all that easy to solve!
Hope that helps, Martin
On Fri, Nov 14, 2008 at 8:22 AM, Golitsis,
John <John.Golitsis@xxxxxxx>
wrote:
Thank you for your reply. In this particular case, I
don't really care what the protocol is, I care only what application generated
it. For example, I want to see all the traffic coming from or going to
Outlook Express.
If Wireshark can't do this, any recommendations on software
that can? (Shareware/Freeware)
In general you just use the display filters. The
application protocols that wireshark knows about are available by clicking on
the "_expression_" label. Of course you definition of application may
differ from how wireshark defines it as it really sees things in terms of
protocols that apps.
Can be more explicit at what you are after?
--
Regards, Martin
MartinVisser99@xxxxxxxxx
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
--
Regards, Martin
MartinVisser99@xxxxxxxxx