如何在 Windows 中监控端口流量?
我正在尝试找到一种解决方案来监视通过特定端口的流量(进出)。不需要捕获数据包或执行任何其他操作。它的作用是充当流量侦听器,以确保每 10 分钟有消息发送到此端口或从该端口接收消息。它必须始终在后台运行(如守护进程),并且不会对性能产生重大影响。根据我的研究,一种选择是使用现有的工具来做到这一点。有很多工具可以监视或嗅探流量,例如wireshark。好吧,似乎它们中的大多数都监视通过接口而不是端口的流量,否则它们无法作为守护进程运行。另一种选择是编写一个程序来执行此操作。 SharpPcap 似乎是一个不错的选择,但我仍然需要捕获和分析数据包以了解是否存在此类流量。有人可以建议我应该做什么吗?
I am trying to find a solution to monitor the traffic (in and out) through a specific port. It is not required to capture the packets, or do anyting else. What it does is to be a traffic listener to make sure there are messages sent to or received from this port every 10 minutes. It has to be running at the background all the time (like a daemon), and without significant performance impact. Based on my research, one choice is to use an existing tool to do that. There are a bunch of tools out there to monitor or sniff the traffic, such as wireshark. Well, seems most of them monitor the traffic passing through a interface, instead of a port, or they can't run as a daemon. Another choice to write a program to do this. SharpPcap seems to be a good choice, but I still need to capture and analyze the packets to know whether such traffic exist. Could somebody suggest what I should do?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
SharpPcap 处理数据包捕获的方式与 Wireshark 相同,因此您可以设置过滤器来将捕获的数据包限制到特定端口,就像在 SharpPcap 中与在wireshark 中一样。除此之外,与wireshark相比,SharpPcap将是一个重量更轻的选择。
下载 SharpPcap 源代码树 并查看 Example05.SetFilter。
要缩小结果范围,以便仅捕获您想要查看的数据包,您需要使用一些过滤器。
Pcap 在所有使用它的应用程序中使用通用语言,并指定要设置的过滤器。捕获使用 winpcap (windows) 或 libpcap (*nix) 的程序,包括 Sharppcap、wireshark、pcap.net、winpcap、libpcap、tcpdump 等...有关如何使用 pcap 过滤器的丰富资源,请参阅 此链接。
以下是您需要的过滤器:
其中 ehost 是发送/接收数据包的计算机的 MAC 地址,port 是您想要的端口监视器。所以完整的过滤字符串是。
这里的 MAC 和端口仅用于说明目的,您显然可以使用与您的特定设置相关的值来更改它们。
在 SetFilter 示例中使用的此方法将在每次捕获数据包并满足过滤器条件时,简单地打印出一行信息,其中包含捕获数据包的时间到命令行。
如果您想要有关数据包的更多详细信息,例如标头或数据包有效负载的信息,您需要解析传入的原始数据包。如果您需要一些有关如何执行此操作的提示,请务必在 sourceforge 项目的论坛上寻求帮助。项目开发人员非常积极并且总是愿意提供帮助。
SharpPcap handles packet capturing in the same manner as Wireshark, so you can set filters to limit the packet being captured to a specific port the same way in SharpPcap as you can in wireshark. Except, SharpPcap will be a much lighter weight option vs wireshark.
Download the SharpPcap source tree and look at the Example05.SetFilter.
To narrow down the results so you capture only the packets you want to see you'll need to employ a few filters.
Pcap uses a common language across all applications that use it do specify the filters to set. Capture programs that use winpcap (windows) or libpcap (*nix) include, sharppcap, wireshark, pcap.net, winpcap, libpcap, tcpdump, etc... For a great resource on how to use pcap filters see this link.
Here are the filters you need:
Where the ehost is the MAC address of the computer sending/receiving the packets and the port is the port you want to monitor. So the full filter string would be.
The MAC and port here are for illustration purposes only, you'd obviously change them with the values that pertain to your specific setup.
This, used in the SetFilter example will simply print out a line of info with the time of when the packet was captured to the command line every time a packet is captured and meets the criteria if your filter.
If you want more detailed info about the packet, such as info from the headers or the packet's payload, you'll need to parse the incoming raw packet. Be sure to ask for help on the sourceforge project's forum if you need some tips on how to do this. The project developers are very active and always willing to help.
限制工具对性能影响的最佳方法是通过 ETW(Windows 事件跟踪)实时使用者(即激活 ETW 跟踪并立即读取它而不是将其保存到文件的工具)。 此 MSDN 示例 是了解如何通过 C# 执行此操作的好方法,它为您提供了一些信息代码开始。
The best way that will limit the impact your tool will have on performance is via an ETW (Event Tracing for Windows) Real-time Consumer (i.e. a tool that activates an ETW trace and reads it immediately instead of saving it to a file). This MSDN sample is a great way to see how to do this via C# and it gives you some code to get started.