How to programmatically filter packages by pid/process name?

G

Gleb Ignatieff2015-07-07 16:21:15

API

Gleb Ignatieff, 2015-07-07 16:21:15

Good afternoon! My task is as follows: to develop a Windows console application that collects all network activity for any process. First, I found the pid by the process name, then I used GetTcpTable2, and I just filtered the necessary information by pid (the "just get rid" option). However, further there is such a note: "Save network activity in a format for Wireshark (separate from text)". Then I realized that I did something wrong and turned to WinPcap, but here I have no idea how to filter packets by pid, and the forums say that using WinPcap itself is impossible.
So I'm at a dead end. If anyone has any ideas how I can do this, then you are welcome! :)

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Stanislav Makarov, 2015-07-07
@gleb_ignatieff

If pcap really does not provide any information about the process that took the packet (quite likely and normal situation, because it runs in kernel mode), then try to match by port number, since you really need TCP. From the point of view of the network protocol, it is the port that uniquely identifies the receiving process and the sending process (for example, you can’t hang two independent web servers on the same port. Also, with an outgoing TCP connection, the OS allocates a separate random port for each connection). Because you can theoretically get information about ports and TCP connections (including in listening status) (after all, TcpView from the Sysinternals package exists and somehow works), then you can bind packets by port.
Of course, one process can open many listening ports and establish many connections, both incoming and outgoing. If you also need to save separate TCP streams (for example, many clients have connected to the 80th port of the web server), then uniquely identify each connection using the four: (source_ip, source_port, destination_ip, destination_port).