Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to find the application sending anamerequest?

From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Sun, 29 Oct 2006 00:34:21 -0400

Bob,

 

If the query is coming from a remote machine, you should be able to run Wireshark on that system and see the source of the original query to the DNS server.  If that’s not the case and the query is initiated from the local machine than I’m not sure.  You could try this tool from Sysinternals:

http://www.sysinternals.com/Utilities/TdiMon.html

 

That might help.  You used to be able to get a trial version of TCPViewPro from winternals.com but I don’t see that option any more.  That version is more powerful.

 

You can also run services.msc and try stopping services or use Process Explorer and kill processes until you figure out which one is the culprit.  Short of that, I’m not sure what else to tell you.  I’m not much of a Windows internals expert.  You might want to try one of the Microsoft forums – some of them are very helpful or look for articles by Mark Russinovich, the Windows Internals Guru (and Author of the Sysinternals Tools).

 

Good luck,

  --Jim

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bob Frottner
Sent: Saturday, October 28, 2006 4:05 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] How to find the application sending anamerequest?

 

Thanks James, that's great help!

I found out that - ok, I should have expected that - svchost (registering dnscache.dll) is sending the DNS name query and getting the response "no such name". But I still cannot figure out which application initiated the DNS request, which application sits at the starting point for asking for the unknown server. I suspect it is some service.

Thanks,
  Bob

"Small, James" <JSmall@xxxxxxxxxxxxxx> wrote:

One way to narrow it down would be to use Wireshark to identify the source IP and port. So on that particular Windows box, you could then use either netstat -ano (believe only 2003 and XP add the -o option) or you could use fport from Foundstone:
http://www.foundstone.com/knowledge/proddesc/fport.html

These should let you map the source port to a particular process ID or application/service. From there the best tool to use to look at processes is probably Process Explorer on sysinternals.com: http://www.sysinternals.com/Utilities/ProcessExplorer.html

Alternatively you can use the Windows built in by pressing Control-Shift-Esc to bring up Windows Task Manager and click on the Process Tab. However, process explorer is much more thorough and powerful (and also free).

On the same site you can also check out TCPView that lets you view all networking apps and the process IDs: http://www.sysinternals.com/Utilities/TcpView.html

That's not perfect but it should give you a good start. If you still can't figure it out after that try posting again with what you found so far.

--Jim

________________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bob Frottner
Sent: Saturday, October 28, 2006 3:11 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] How to find the application sending a namerequest?

Hi,

I have no experience in network analysis. However, there is a network problem here and I think I have found it using Wireshark: Some Windows application or service is sending name queries asking for a server which has been removed from the net.

Now my question: How can I find out which application or service within windows is sending those name queries? That must be trackable somehow but I have no idea how...

It would be great if somebody could give me help on this!

Thanks,
  Bob

________________________________________
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

 

 


Want to start your own business? Learn how on Yahoo! Small Business.