我几乎偶然发现我的机器正在向波兰的一台机器发送和接收 UDP 数据包。并不是说我对波兰有任何问题,我只是不知道为什么我的笔记本电脑需要与那里的服务器通信。反向 DNS 仅显示 ISP 向某些最终用户提供地址。使用 Wireshark,我可以监控这些消息,这些消息无法破译,因为它们可能已加密。从我的机器发送的所有数据包都具有相同的源端口,因此显然发送它们的应用程序打开了此 UDP 套接字来使用它。我正在寻找方法:
1)枚举系统中当前打开的所有套接字,包括创建它的进程,以及对于 TCP 和 UDP,它们当前绑定到的端口和地址。
2)因为应用程序可以打开这些套接字,使用它们,然后立即关闭它们,所以我很想找到(或者甚至编写)一个程序,一旦启动,每次创建套接字时都会以某种方式收到通知,或者更重要的是,当绑定到源和/或目标地址和端口。对于 UDP,我还希望能够监视/跟踪套接字已向其发送消息的目标 IP 地址和端口。
我不想监控流量本身,如果我想查看流量我有Wireshark。我希望能够交叉引用以发现哪个应用程序正在生成数据包。我想知道它是否来自我信任的流程,或者是否是我需要进一步调查的内容。
有谁知道有什么应用程序(适用于 Windows 平台)可以做到这一点?如果没有,关于提供此功能的 .NET 或 Windows API 有什么想法吗?我应该自己编写吗?
编辑:
经过进一步研究 - 看起来要使用的 API 是 GetExtendedUdpTable 和 GetExtendedTcpTable,CodeProject.com 有一些将它们包装在 .NET 中的示例(请参阅 http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G)。因此,需要结合使用此 API 和一些嗅探器代码来监视和跟踪计算机上任何特定应用程序正在使用什么协议在哪些端口上的主机。如果我有空闲时间,我会考虑创建这个,如果您知道有一个应用程序可以完成这一切,请告诉我。
I discovered almost accidentally that my machine was sending and receiving UDP packets to a machine in Poland. Not that I have any problem with Poland, I just don't know why my laptop has the need to communicate with a server there. Reverse DNS shows just the ISP providing the address to some end user. Using Wireshark, I can monitor the messages, which were indecipherable as they were probably encrypted. All packets sent from my machine had the same source port, so clearly the application that sent them opened this UDP socket to use it. I am searching for ways to:
1) enumerate all current sockets open in the system, including the process that created it and, for both TCP and UDP, what ports and addresses they are current bound to.
2) because applications can open these sockets, use them, and close them right away, I would love to find (or perhaps even write) a program that once started would somehow get notification each time a socket gets created, or really more importantly when bound to a source and/or destination address and port. For UDP, I would love to also be able to monitor/keep track of the destination IP addresses and ports that socket has sent messages to.
I don't want to monitor the traffic itself, I have Wireshark if I want to view the traffic. I want to be able to then cross reference to discover what application is generating the packets. I want to know if it is from a process I trust, or if it is something I need to investigate further.
Does anybody know of any applications (for the Windows platform) that can do this? If not, any ideas about a .NET or Windows API that provides this capability, should I want to write it myself?
Edit:
After further research - looks like the APIs to use are GetExtendedUdpTable and GetExtendedTcpTable, CodeProject.com has some samples wrapping these in .NET (see http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G). So a combination of this API and some sniffer code would be needed to monitor and keep track of what hosts at what ports using what protocol any particular application on your machine is talking to. If I ever get some free time, I'll consider creating this, if you know of an app that does all this, please let me know.
发布评论
评论(4)
尝试SysInternals TCPView。尽管它的名字如此,但它也可以处理 UDP。
Try SysInternals TCPView. Despite its name, it handles UDP as well.
netstat -b枚举所有端口以及进程名称。netstat -bto enumerate all ports along with the process names.您可以尝试使用 SysInternals 的进程监视器(ProcMon.exe 或 ProcMon64.exe)。
它允许通过“UDP 发送”操作过滤进程 - 并提供详细的 UDP 连接数据,包括源和目标地址 (IP) 以及端口等。
You can try using SysInternals' Process MOnitor (ProcMon.exe or ProcMon64.exe).
It allows for filtering of Processes by "UDP Send" Operation - and provides detailed UDP Connection data, including source and destination addresses(IP) and ports etc.
我推荐 NirSoft 的 LiveTcpUdpWatch
此处不相关,但其进程过滤器有点隐藏在“高级”中选项”。
注意:我写了这个死灵回复重播,因为
I recommend NirSoft's LiveTcpUdpWatch
Not relevant here but its process filter is kinda hidden in the "advanced options".
Note: I wrote this necro-reply replay because