Monitor Transfer Or Ip On An Arbatrary Port

Full Version: Monitor Transfer Or Ip On An Arbatrary Port

GovernmentSecurity.org > System Security > Windows Systems

AgentOrange

Oct 20 2004, 07:18 AM

I am wondering if there is a way for me to find out who is connecting to an arbitrary open port used by a running program. I need source code. It would be really awesome if i could monitor the data being transfered I could do it by doing a netstat every so often, but thats lame. I would also like to do this without the need for the pcap libraries

Peace out

IDEspinner

Oct 20 2004, 08:16 AM

QUOTE(AgentOrange @ Oct 20 2004, 12:18 AM)

This sounds like you could use one of several applications. On one hand, someone could say you could use a sniffer with the winpcap librarys. Well this would work great, infact you could even sniff the data off the wire.

You state you dont want to use pcap libs, so ethereal is out of the question.

well... you could use IRIS or Ethereal, those count right? technically they dont use the pcap libraries, but i think what you are looking for is not a packets sniffer right? i hope thats how i interpreted your request for no winpcap.

Ok so what options are we left with? Well like your suggestion pointed out, you could use netstat. You dont seem to mind using netstat so much since you mentioned you just didnt like doing it every second. I seem to recall a vb project for creating a firewall type application. I honestly didnt think it was a true firewall, more of a monitor, but that is exactly what you want. All it does is constantly monitor "netstat -O" which maps all the ports to their processes or something similar.

Since its vb it would be easy to modify and run, although i believe the netstat -O option was only implemented in xp and on.
It can be found at:
hxxp://pscode.com/vb/scripts/ShowCode.asp?txtCodeId=48115&lngWId=1

Aside from that, you only other option that i can think of right now is to construct your very own firewall. Unless your a c/c++ guru who has no trouble with driver coding and hooking, this poses a problem.

Gladly, windows has recently added a new Packet Filtering API.
There are a few firewall projects out there
heres an opensource project done with c++:
hxxp://programmerworld.net/personal/firewall.htm

If your a fan of .net, heres an example done in c# hxxp://codeproject.com/tools/firewallpapi.asp

Of course, with a firewall, you wouldnt be able to monitor the data without an included sniffer or some hooking.

So basically your options are:

-Give up and use winpcap with ethereal
-Pay for IRIS or Etherpeek, they dont use winpcap
-Manually type netstat -O for the rest of your life
-Use a Quick and Easy vb app to Manually type netstat -O for the rest of your life
-Code a firewall with plenty of driver programming and hooking
-Code a firewall using the Packet Filtering API

I hope this helps somewhat, im sure i missed something

AgentOrange

Oct 20 2004, 01:26 PM

Well thanks IDE that is a pretty good post. I want to make the program as small and compatible as possible. Netstat -o is pretty nice, I forgot that it only works on new systems. I really really hate C# and Billy needs a kick in the nuts for even thinking about making it. I figured hooking was a possibility but i have no experience with that, i am fairly new to programming. I'll read more into this packet filtering API.

Thanks for you post

strasharo

Oct 20 2004, 07:25 PM

Maybe this can help you:
hXXp://rootkit.host.sk/tools/OpPorts12.zip
It`s open source (delphi+C) and allows you to map open ports to their corresponding applications.It hasn`t got a function to collect the transmitted data but it`s a good basis to make a more complicated application.

Have a nice day!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Monitor Transfer Or Ip On An Arbatrary Port GovernmentSecurity.org > System Security > Windows Systems AgentOrange Oct 20 2004, 07:18 AM I am wondering if there is a way for me to find out who is connecting to an arbitrary open port used by a running program. I need source code. It would be really awesome if i could monitor the data being transfered I could do it by doing a netstat every so often, but thats lame. I would also like to do this without the need for the pcap libraries Peace out IDEspinner Oct 20 2004, 08:16 AM QUOTE(AgentOrange @ Oct 20 2004, 12:18 AM) I am wondering if there is a way for me to find out who is connecting to an arbitrary open port used by a running program. I need source code. It would be really awesome if i could monitor the data being transfered I could do it by doing a netstat every so often, but thats lame. I would also like to do this without the need for the pcap libraries Peace out This sounds like you could use one of several applications. On one hand, someone could say you could use a sniffer with the winpcap librarys. Well this would work great, infact you could even sniff the data off the wire. You state you dont want to use pcap libs, so ethereal is out of the question. well... you could use IRIS or Ethereal, those count right? technically they dont use the pcap libraries, but i think what you are looking for is not a packets sniffer right? i hope thats how i interpreted your request for no winpcap. Ok so what options are we left with? Well like your suggestion pointed out, you could use netstat. You dont seem to mind using netstat so much since you mentioned you just didnt like doing it every second. I seem to recall a vb project for creating a firewall type application. I honestly didnt think it was a true firewall, more of a monitor, but that is exactly what you want. All it does is constantly monitor "netstat -O" which maps all the ports to their processes or something similar. Since its vb it would be easy to modify and run, although i believe the netstat -O option was only implemented in xp and on. It can be found at: hxxp://pscode.com/vb/scripts/ShowCode.asp?txtCodeId=48115&lngWId=1 Aside from that, you only other option that i can think of right now is to construct your very own firewall. Unless your a c/c++ guru who has no trouble with driver coding and hooking, this poses a problem. Gladly, windows has recently added a new Packet Filtering API. There are a few firewall projects out there heres an opensource project done with c++: hxxp://programmerworld.net/personal/firewall.htm If your a fan of .net, heres an example done in c# hxxp://codeproject.com/tools/firewallpapi.asp Of course, with a firewall, you wouldnt be able to monitor the data without an included sniffer or some hooking. So basically your options are: -Give up and use winpcap with ethereal -Pay for IRIS or Etherpeek, they dont use winpcap -Manually type netstat -O for the rest of your life -Use a Quick and Easy vb app to Manually type netstat -O for the rest of your life -Code a firewall with plenty of driver programming and hooking -Code a firewall using the Packet Filtering API I hope this helps somewhat, im sure i missed something AgentOrange Oct 20 2004, 01:26 PM Well thanks IDE that is a pretty good post. I want to make the program as small and compatible as possible. Netstat -o is pretty nice, I forgot that it only works on new systems. I really really hate C# and Billy needs a kick in the nuts for even thinking about making it. I figured hooking was a possibility but i have no experience with that, i am fairly new to programming. I'll read more into this packet filtering API. Thanks for you post strasharo Oct 20 2004, 07:25 PM Maybe this can help you: hXXp://rootkit.host.sk/tools/OpPorts12.zip It`s open source (delphi+C) and allows you to map open ports to their corresponding applications.It hasn`t got a function to collect the transmitted data but it`s a good basis to make a more complicated application. Have a nice day! This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.