Microsoft Network Monitor 3.2 Beta for Tracking Traffic Origination

I'm always looking for a tool to map the traffic to or from a host with the process receiving or sending it. Today I noticed that Microsoft Network Monitor offers a beta that appears to have the functionality, according to this Netmon blog post. I visited the Netmon site on Microsoft Connect (registration required) to download beta 3.2. I ran two live capture tests to see what Netmon 3.2 beta would report.



As you can see in this first screen capture, the vast majority of traffic is considered "unknown." I tried using ping.exe in a cmd.exe terminal. I tried using ftp.exe in the same cmd.exe terminal. I used Firefox to watch a YouTube video, and I used Microsoft Media Player to view some video. It seemed that the more time an activity occupied, the more likely Netmon would associate it with the right process. For example, downloading a FreeBSD .iso through Firefox appeared associated with Firefox, but visiting most Web sites did not.



I tried a second session where I updated Adobe Acrobat Reader, launched Skype, and a few other actions. Again the vast majority of traffic is "unknown," although I could tell much of it was caused by launching Skype.

Does anyone else use this program and get different results? Incidentally I took these actions as Administrator to ensure I didn't run into any permissions problems, but it doesn't seem to have made a difference here.

Do you have a program to map traffic to generating processes, live?

Comments

Anonymous said…
when would be its release date???
I'm seeing the same thing on my workstation.

If netstat can map active connections to PID I don't see why NM couldn't do the same.
orekdm said…
I would highly recommend tcpvcon which is the Sysinternals command line version of Tcpview. Netstat (-anb) doesn't provide a full path to the executable and seems to run very slow in some environments for some reason.

For years now (in various corporate settings), I have sourced previously undetected malware infections by looking at outbound dropped traffic and then used psexec and tcpvcon to capture the full path to the application that is generating the traffic.

Then I would psexec and pscp the file back to an scponly drop point for further analysis.

Of course this requires you to catch the culprit in the act. And in my experience modern malware authors have gotten smarter about not blasting the wire trying to phone home. For this purpose I wrote a prototype netwatch.pl script which performs the same action as tcpvcon, but allows you to psexec it once and set it to loop until it matches the selected criteria (src/dst IP or port).
Anonymous said…
I recommend you check out oSpy:
http://code.google.com/p/ospy/
Anonymous said…
Nexthink does quite a lot of things and is particularly process-intrusive
http://www.nexthink.com/home
marc
Anonymous said…
Microsoft's "Port Reporter" provides good results from most TCP traffic, UDP is less thorough.

While TCPView (and TCPVCon, it's command line equivilent) is great at point it time, it requires you to catch the process in action.

Port reporter will log to a file each and every TCP connection made.

I'm off to check out NexThink.
Sometimes I should just check my own blog... looks like I noticed Port Reporter in 2004.
SynJunkie said…
A nice little tool if you do want to focus on the network activity of a particular application is SocketSniff from NirSoft. It's a stand alone exe that runs pretty well.

Regards

Lee
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
Wow when is this going to be released? I cant find it anywhere!

Cheers,
Dianna
Dianna,

Visit the link I posted, log in with your Live account, and you'll go straight to the right page.
SynJunkie said…
Richard, you may find this useful. SysInternals (OK Microsoft) have upgraded procmon to version 2 which lists network connectivity of individual processes.

Pretty nice.

Cheers

Lee
SynJunkie said…
Oh, and just looking at the options. The "Boot Logging" feature would give you some of the same detail as Port Reporter i guess, along with a whole lot more that you get withthe tool such as file and registry activity.

Cheers

Lee
Anonymous said…
have a look at SecurActive NSS solutions. Pretty good tool if you don't want to waste your time looking at all your packets with your sniffer.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics