Login/Register
Is there a way to monitor what process sends UDP packets (source/dest IP and port) in Windows?
Asked Answered
Solved windowssocketsbindingudpmonitoring
C

4

9

I discovered almost accidentally that my machine was sending and receiving UDP packets to a machine in Poland. Not that I have any problem with Poland, I just don't know why my laptop has the need to communicate with a server there. Reverse DNS shows just the ISP providing the address to some end user. Using Wireshark, I can monitor the messages, which were indecipherable as they were probably encrypted. All packets sent from my machine had the same source port, so clearly the application that sent them opened this UDP socket to use it. I am searching for ways to:

1) enumerate all current sockets open in the system, including the process that created it and, for both TCP and UDP, what ports and addresses they are current bound to.

2) because applications can open these sockets, use them, and close them right away, I would love to find (or perhaps even write) a program that once started would somehow get notification each time a socket gets created, or really more importantly when bound to a source and/or destination address and port. For UDP, I would love to also be able to monitor/keep track of the destination IP addresses and ports that socket has sent messages to.

I don't want to monitor the traffic itself, I have Wireshark if I want to view the traffic. I want to be able to then cross reference to discover what application is generating the packets. I want to know if it is from a process I trust, or if it is something I need to investigate further.

Does anybody know of any applications (for the Windows platform) that can do this? If not, any ideas about a .NET or Windows API that provides this capability, should I want to write it myself?

Edit: After further research - looks like the APIs to use are GetExtendedUdpTable and GetExtendedTcpTable, CodeProject.com has some samples wrapping these in .NET (see http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G). So a combination of this API and some sniffer code would be needed to monitor and keep track of what hosts at what ports using what protocol any particular application on your machine is talking to. If I ever get some free time, I'll consider creating this, if you know of an app that does all this, please let me know.

Crockery answered 6/2, 2012 at 16:14 Comment(6)
tcpdump? ethereal? will need winpcap library for them.Accompanist
ethereal is the old name for Wireshark - lets you see the packets including source and dest addresses and ports - but no process identification at all. I can see the packets, I want to know what process sent/received them.Crockery
Which version of Windows? Back in the day I used Kerio Personal Firewall, which very nicely showed all sockets along with owning process, and even let you write rules on outgoing traffic. But I don't think it works on Vista/Win7. Also be warned, they released a new product which is a complete piece of trash under the same name, masquerading as a new version.Maes
+1 for using a personal firewall (I used to use ZoneAlarm myself back in my earlier days, now I rely on hardware firewalls in my routers). Let it report the details to you, rather than trying to find them manually.Jost
@Remy: Of course, a router firewall doesn't have access to process information, you need something running locally on the workstation for that.Maes
@BenVoigt: That is why I mentioned ZoneAlarm. It is a software-based firewall. I used to use it all the time before I had enough computers to need routers.Jost
O
3

netstat -b to enumerate all ports along with the process names.

Oxen answered 6/2, 2012 at 16:18 Comment(1)
this will tell me what process is listening on a UDP port, but how do I know who sent a UDP packet? I suppose if I used WinPCAP and see the UDP packet from a particular local machine port, I could use netstat -b to try to find that local port in the list. But if it is not there? I'm curious what API netstat -b uses, I would want to use that API in any programming effort. Ideally it could notify me when new sockets are bound, otherwise I'd have to poll, and I doubt that is a very inexpensive thing to do...Crockery
J
13

Try SysInternals TCPView. Despite its name, it handles UDP as well.

Jost answered 6/2, 2012 at 22:48 Comment(0)
O
3

netstat -b to enumerate all ports along with the process names.

Oxen answered 6/2, 2012 at 16:18 Comment(1)
this will tell me what process is listening on a UDP port, but how do I know who sent a UDP packet? I suppose if I used WinPCAP and see the UDP packet from a particular local machine port, I could use netstat -b to try to find that local port in the list. But if it is not there? I'm curious what API netstat -b uses, I would want to use that API in any programming effort. Ideally it could notify me when new sockets are bound, otherwise I'd have to poll, and I doubt that is a very inexpensive thing to do...Crockery
G
1

You can try using SysInternals' Process MOnitor (ProcMon.exe or ProcMon64.exe).

It allows for filtering of Processes by "UDP Send" Operation - and provides detailed UDP Connection data, including source and destination addresses(IP) and ports etc.

Geminate answered 12/11, 2022 at 21:28 Comment(0)
B
1

I recommend NirSoft's LiveTcpUdpWatch

Not relevant here but its process filter is kinda hidden in the "advanced options".

Note: I wrote this necro-reply replay because

  1. this page is one of the first hits on this topic.
  2. TCPView doesn't help at all (only shows open UDP ports but no traffic or outgoing stuff AFAIK).
  3. ProcMon shows logs every packet individually while LiveTcpUdpWatch aggregates traffic on per-port basis (same port rule: remote+local / only remote / only local).
Breann answered 27/7, 2023 at 1:25 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.