Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to find the application sending a namerequest?

From: Bob Frottner <frotty22@xxxxxxxxx>
Date: Sat, 28 Oct 2006 13:05:15 -0700 (PDT)
Thanks James, that's great help!

I found out that - ok, I should have expected that - svchost (registering dnscache.dll) is sending the DNS name query and getting the response "no such name". But I still cannot figure out which application initiated the DNS request, which application sits at the starting point for asking for the unknown server. I suspect it is some service.

Thanks,
  Bob

"Small, James" <JSmall@xxxxxxxxxxxxxx> wrote:
One way to narrow it down would be to use Wireshark to identify the source IP and port. So on that particular Windows box, you could then use either netstat -ano (believe only 2003 and XP add the -o option) or you could use fport from Foundstone:
http://www.foundstone.com/knowledge/proddesc/fport.html

These should let you map the source port to a particular process ID or application/service. From there the best tool to use to look at processes is probably Process Explorer on sysinternals.com: http://www.sysinternals.com/Utilities/ProcessExplorer.html

Alternatively you can use the Windows built in by pressing Control-Shift-Esc to bring up Windows Task Manager and click on the Process Tab. However, process explorer is much more thorough and powerful (and also free).

On the same site you can also check out TCPView that lets you view all networking apps and the process IDs: http://www.sysinternals.com/Utilities/TcpView.html

That's not perfect but it should give you a good start. If you still can't figure it out after that try posting again with what you found so far.

--Jim

________________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bob Frottner
Sent: Saturday, October 28, 2006 3:11 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] How to find the application sending a namerequest?

Hi,

I have no experience in network analysis. However, there is a network problem here and I think I have found it using Wireshark: Some Windows application or service is sending name queries asking for a server which has been removed from the net.

Now my question: How can I find out which application or service within windows is sending those name queries? That must be trackable somehow but I have no idea how...

It would be great if somebody could give me help on this!

Thanks,
  Bob

________________________________________
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


Want to start your own business? Learn how on Yahoo! Small Business.