Afaik there is no way to configure
Ethereal to associate a packet to a process. However, you should be able to
determine the source by inference. Look at the packet's destination IP
and destination port. Who does the destination IP belong to? Is the destination
port a well-known port? If not, do a Google search and see if you can find an
app that listens on that port? Is there any ASCII data in the packet that would
help identify what it is requesting? If you suspect Steam, start a capture and
launch the Steam client. Does it connect to the same destination IP/IP block/port
as the packet in question?
If you can determine who/what the client
is talking to, you should be able to determine what process on your machine is
doing the talking.
Andrew
-----Original Message-----
From: secjunky
[mailto:secjunky@xxxxxxxxx]
Sent: Wednesday, January 11, 2006
3:34 PM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users]
Discovering the process that generated a packet
Hello list, I've been looking for this for a while, but I can't seem to find
anything. I would like to know if ethereal can tell me the actually process
that sent the packet in question. Here's the scenario.
I leave ethereal running overnight on all of my machines
(slackware, winxp pro, winxp 64) to see what is talking to who. When I come
back in the morning, as expected, my slack box was nice and tight-lipped. The
XP pro w/ zone alarm was nice and quiet as well, but it was the XP64 that was
the chatterbox. It turns out that my Steam account (from Valve software), would
wake up in the middle of the night (after being closed) and talk to it's update
server. This is actually my assumption, seeing as I cannot discern the process
that sent the packet from the ethereal scan.
So
this is my question, is there a way to configure ethereal to display the
process that generated the packet in question? I know I could sit at the
computer with TCPView or netstat running, but as I said, this is done overnight
and I can't be at the computer all night (ie I need logging). I also know I
could simply run the windows variant of the Linux command 'netstat -c' and
compare times, but I think this would be tedious and a feature like this would
be very useful in ethereal if it doesn't already exist.
I
found this one the ethereal forum (http://www.ethereal.com/lists/ethereal-dev/200110/msg00129.html),
but it is very old and is far beyond my menial coding experience. Does anyone
have any suggestions or patches for ethereal that I could use? Thanks in
advance
