How do I find what program initiated a download using wireshark? - wireshark

I have a packet capture and I'm trying to find out which program a download was made with, where would I go in the packet to find this information?
Thanks all!

Instead of looking for answers within the packet, you may want to look at which port the download was done through. That could give you more information, and faster

I assume you know the destination ip address from where the file is downloaded. If it's something that you can catch while it's happening or you can trigger it then you could use netstat to determine the PID of the program that is handling that socket after filtering the netstat output based on the destination ip address.
Then you could use ps on Linux or TaskManager on Windows to know which program has that PID.
On windows: How to determine which program uses or blocks specific transmission control protocol ports in Windows
Alternative if the packet capture it's all you got and it's not a recurring event then if the download was done via HTTP you could check the headers of the HTTP request for info about the client in the User-Agent header.
Hope it helps.

Related

Edit tcp packets in pcap file

I need to make tcpdump using wireshark or tcpdump
For some tcp streams in log I need full packet info.
But for tcp streams in log I need to remove all info except full uri info.
For this I'am going to use regular expressions.
If URI, http.request or http.response match some of regular expressions
then I need to store full tcp stream info.
If doesn't match --- then I need to remove all tcp stream info except full uri info.
I need it to reduce log size.
What tool do you advise for this ?
Or may be some php/python library will be helpful to create script that will filter log ?
tcpick and tcpxtract are two tools available to filter and extract information from a tcpdump file. They are both open-source and available at sourceforge.net. You will have to write your own routine for how and what information you would like to extract. tcpick is fairly flexible regarding what parts of a packet you can view/extract.
I use TraceWrangler in my projects, which despite being beta, works very well. It allows, in addition to editing the L2/L3 headers, to sanitize the packets.

cocoaAsync:udp sendto success but Wireshark can't capture out data

I'm using cocoaAsync to handle udp communication.
When i use the sendData API of cocoaAsync ,I'm sure sendto is success,from the log. But I can't see any output data from Wireshark .
This is not 100% reproducible, but very probably.
I can't figure out what could be the problem.
Thanks very much for any tips.
If you are sure that you are sending the packets right then following can be possibilites,
If you are sending and receiving on same machine then it is possible that your Wireshark do not capture. Try sending to some different destination than your machine.
Also there can be multiple network interfaces on your machine (e.g: eth0, eth1 etc...) for Wifi and Network-Card. Please make sure you are capturing packets on the right interface. You can select interface when you press the Capture button on Wireshark.
I hope this helps.

How to find out what IP address a Windows (Vista) application connects to

Basically I need to find out where an application X connects to (ip or domain name) and what data is being passed back and force. The application is plain Windows app, system is Windows Vista.
The connection is very quick and something like netstat does now show it - is there a way to show past connections using netstats or other program?
I suspect a connection is HTTP, so if this is true, knowing the full URL would be nice to have too.
Thanks
Nik
Take a look at Wireshark; it allows you to monitor all incoming and outgoing network traffic on your machine and has a ton of advanced filtering options.
You could also find your programs PID, and run netstat -o in cmd, this command lists all active connections and the PID thats using it.

How does MW2 hide connection information from netstat?

Today I was playing Modern Warfare 2. I was hosting ground war. There were something like 20 people playing. A notoroius blatant hacker joined. I wanted to get rid of him. My idea was to start adding ports to my firewall to find him and block him out.
When I opened up netstat this is what I found.
alt text http://www.phantix-llc.com/netstat_data.jpg
The last entry is immediately after I quit the game. The last IP shown belongs to steam.
How does MW2 hide all the incoming connections from netstat?
How can I overcome this?
It'll be using UDP not TCP, so won't have fixed connections. Unfortunately you're not going to be able to find his IP from netstat for UDP; you'll have to look it up in-game.
To get more useful information from netstat, you wanted netstat -ano: that'll also show your open UDP listen sockets and the program IDs that own each one. You can then use task manager (view, select columns, add PID column) to identify which ones are owned by MW2. But UDP doesn't have fixed connections so it won't show information about who externally is using your UDP connections.
Yes there are admin tools for mwf2,allso writing status in the console "pressing ctrl+alt+supr in game so u can see console behind". Also aIWNet_crt_u.exe "cheat reporting tool" will give u the ips and names and xuid.
if your look to kick someone out of a game your hosting try this site
http://www.adivinedude.com
it has a tool with all the instructions and source code needed
Use a tcpdump/wireshark (used to be ethereal) type of a tool to analyze the traffic. The problem then is that you will have to pinpoint which udp stream belongs to the nasty person.
If you are hosting the game and are able to kick people out, you might want to record traffic and then kick him out and see which stream stops. Another option is to send him private messages and try to see where they are sent.

Localhost packet analyzer for Mac

Packet sniffers generally do not capture localhost traffic. I need to inspect some post data in a localhost environment (being generated from a Ruby on Rails development). Do you know of any programs that expose localhost packets?
I use fiddler on my Windows box for http sniffing. Since its only looking at http traffic you don't get nearly the amount of noise you get with something like WireShark.
The trick to getting it to work with data sent and received locally is to use a different endpoint for your urls. Using http://127.0.0.1./YourServiceName instead of http://localhost/YourServiceName has always worked for me. Its important to include the trailing 'dot' in the IP address. Don't ask me why though.
If you use Firefox, you could use the HTTP Logging feature:
https://developer.mozilla.org/en/HTTP_Logging
If you just change your address from localhost to an assigned IP address (like 192.168.12.34 or whatever you may have), your packet sniffer should be able to see the packets.
These packets probably do not exist. There is no reason to packetize data when it is not leaving the host. The data should just go from socket to socket.
You might use something like Instruments or Dtrace to monitor the send system call.
I'm a satisfied user of HTTPScoop: http://www.tuffcode.com/
It's similar to the HTTP traffic analyzer addons you'll see for firefox etc. but works systemwide which is convenient and can be switched to observe any of your available network interfaces.
It is not free, nor does it observe HTTPS traffic, but other than that it's a worthwhile addition to your toolbox.

Resources