| Subject: Howto identify a service or application accessing the network |
| Group: microsoft.public.winternals |
| Date: 6/15/2007 1:39:11 AM |
| From: "Thomas Weigel" [Email Address Protection] |
Hy, I would like to see not only which process accesses the network but the corresponding servcie / Applikation too. How can I manage this? Thanks ahead, Greetings Thomas |
| Back |
| Subject: Re: Howto identify a service or application accessing the network |
| Group: microsoft.public.winternals |
| Date: 6/15/2007 11:05:01 PM |
| From: "Kerem Gmrkc" [Email Address Protection] |
"Thomas Weigel" <Entwicklung_AT_Octagon-GmbH_DOT_de> schrieb im Newsbeitrag news:%23Pk9YiyrHHA.4664@TK2MSFTNGP04.phx.gbl... > Hy, > > I would like to see not only which process accesses the network but the > corresponding servcie / Applikation too. > How can I manage this? > > Thanks ahead, > > Greetings > > > Thomas > Hi Thomas, so let me ask you, what you mean by seeing a application accessing the network. Do you operate in kernel mode? Do you have a user or kernel mode application/driver that intercepts the network access? What do you use to "see" what is accessing your network and how do you accomplish that? If you want/can provide more information myabe than we can help you,... Beste Gre / Best regards / Votre bien dvou Kerem Gmrkc ----------------------- "This reply is provided as is, without warranty express or implied." |
| Back |
| Subject: Re: Howto identify a service or application accessing the network |
| Group: microsoft.public.winternals |
| Date: 6/18/2007 1:24:29 AM |
| From: "Thomas Weigel" [Email Address Protection] |
> > I would like to see not only which process accesses the network but the > > corresponding servcie / Applikation too. > > How can I manage this? > so let me ask you, what you mean by seeing a application > accessing the network. Do you operate in kernel mode? > Do you have a user or kernel mode application/driver > that intercepts the network access? What do you use to > "see" what is accessing your network and how do you > accomplish that? If you want/can provide more information > myabe than we can help you,... The system I think about is Windows XP connected to the internet. sometimes, when starting the system, It connects to internet and transfers a large amount of data, may be in both directions. I guess it is always the update function. I can logon as Administrator to see whats going on if necessary. I would like to check out and if possible log WHICH services or applications opened a connection to the internet. E.g. if the AU opened the connection to check for new updates or download i would like to see something like that: "connected to 1.2.3.4 from 127.0.0.1 by WindowsUpdate.exe" Greetings Thomas |
| Back |
| Subject: Re: Howto identify a service or application accessing the network |
| Group: microsoft.public.winternals |
| Date: 6/18/2007 4:11:55 PM |
| From: "Andrew McLaren" [Email Address Protection] |
> I would like to check out and if possible log WHICH services or > applications opened a connection to the internet. > E.g. if the AU opened the connection to check for new updates or > download i would like to see something like that: > "connected to 1.2.3.4 from 127.0.0.1 by WindowsUpdate.exe" There are probably several ways to do this. One way, using only built-in OS commands, would be to do: C:\>netstat -o This will show you the current open TCP conections, along with the Process ID ("PID") associated with each connection. To find the process name associated withthe PID, you can either look in Task Manager window, or run the "tasklist" command: C:\>tasklist For example, if netstat shows TCP 192.168.0.3:50396 www:http CLOSE_WAIT 5700 TCP 192.168.0.3:50397 www:http CLOSE_WAIT 5700 then I want to find which Process has a PID of 5700. I can do either: C:\>tasklist and scan the whole list; or if I just want the one process I can use the "fi" filter: C:\>tasklist /fi "PID eq 5700" Image Name PID Services ========================= ======== ============================================ Safari.exe 5700 N/A Okay, so Process 5700 is a web browser, which has the http connections open - so that's okay. If I don't recognise the process, or the destination IP address, then there could be a problem. Reagrding services - several different services can be hosted within a single process - especially the services which run as "svchost.exe". To see which services (if any) live in each process, use the "/SVC" parameter to tasklist: C:\>tasklist /svc < ... snip ... > svchost.exe 1164 EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, upnphost, W32Time svchost.exe 1272 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv, TermService spoolsv.exe 1464 Spooler svchost.exe 1496 BFE, DPS, MpsSvc < ... snip ... > You can always add the /SVC parameter; if there are no services in the tasklist, it just gets ignored. The other main way to understand the network traffic to and from your machine is to run a network sniffer, such as NetMon. This lets you inspect the traffic in great detail. Microsoft NetMon 3 is a free download, from here: http://www.microsoft.com/downloads/details.aspx?familyid=AA8BE06D-4A6A-4B69-B861-2043B665CB53&mg_id=10109&displaylang=en Some of the Winternals utilities such as Process Explorer might also provide similar information, but the experts in the group would be better able to tell you about those. Hope it helps! Gruess Andrew |
| Back |
| Subject: Re: Howto identify a service or application accessing the network |
| Group: microsoft.public.winternals |
| Date: 6/21/2007 7:47:39 PM |
| From: "Dan Krause" [Email Address Protection] |
Try the program 'whatsrunning' at whatsrunning.net. "Thomas Weigel" <Entwicklung_AT_Octagon-GmbH_DOT_de> wrote in message news:%23Pk9YiyrHHA.4664@TK2MSFTNGP04.phx.gbl... > Hy, > > I would like to see not only which process accesses the network but the > corresponding servcie / Applikation too. > How can I manage this? > > Thanks ahead, > > Greetings > > > Thomas > |
| Back |