Packet Captures Filtered by Process

Published: 2017-04-13
Last Updated: 2017-04-13 02:55:10 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Already you're thinking, did I read that right?  The answer is nope, you absolutely can capture by Windows Process, just not with Windump or Wireshark.  A while back I wrote a short diary about using NETSH to capture packets ( https://isc.sans.edu/diary/19409 ), and this story builds on that one.

A quick recap - to capture packets using NETSH, for a basic capture you'd do something like:

netsh trace start  capture=yes tracefile=c:\temp\trace.etl

Then to stop the capture, execute:

netsh trace stop

Before we proceed, get the process details for the app you are trying to track.  Some thing as simple as:

tasklist > tasklist.out

will give you the list of windows processes and the process numbers.

You can get much more detail from sysinternals tools like Process Monitor, or better yet, Process Explorer.  In this screenshot (from Process Explorer) we see that Citrix Receiver client actually is 5 running processes at the moment on my machine.

And Cisco AnyConnect has 2 (vpnui and vpnagent)

In this case I'm chasing the packets from Cisco's AnyConnect VPN client.  In the Process Explorer screeshot above, the associated processes are mixed in with those from the legacy IPSEC VPN client.  This is easy enough to filter out in Wireshark if you know what the process does, but what you are looking for in a lot of cases is what *else the process is doing?"  Is it phoning home for updates?  Is it phoning home to share information that you don't want shared?  For a VPN client you know what you are connecting to (so that part is easy to filter if you were using Wireshark), but what else is it doing?

On to analyzing the captured data by application or process.  Instead of exporting the whole works to pcap format, open the NETSH output in Microsoft Message Analyzer, Microsoft's awesome succesor to the venerable NETMON that many of us have used over the years.

The right had pane looks pretty familiar, complete with a "network tuple" style filter at the top.  The left hand pane however is where we're looking today.  That's what I call the "filter by other stuff" window.  Let's trim the criteria down to the Process Name and Process ID (or you could just pick one or the other, it comes to the same thing since each process name has a unique process number).

Now, pick the target application, and the associated messages will appear in the right hand pane.  Wait, messages?  Yes, what you'll see in the right hand pane is a mix of packets in and out of the application, as well as the Windows Events that are generated by the application - bet you weren't expecting that?

If you click on a message, you'll see associated message details:


You see in the screenshot below that each packet is broken up heirarchally like you'd expect - my VPN traffic is fully represented, right down to the 802.11 wireless frames that are associated with the application.  In OSI speak, as you click on each "layer" in the packet or frame, you'll see the detail in the window directly below.

And as you'd expect, clicking any of the "layers" above gives you more details:

Want to export to pcap format?  You can write a filter for the display window, or simply highlight a number of records, then choose File / Save As / Export.  I found that it was pretty easy to confuse the export process - a few null content files got me past this, it does work nicely.  Just don't expect Wireshark to consume the Windows Event data.

Then simply open the resulting CAP file in Wireshark or whatever "analyze the pcap" tool or script you need to continue your analysis (the traffic shown here is idle traffic routing through the tunnel):

This is a very basic example - I'm just starting with Message Analyzer.  There seems to be no end to how deep you can dig into the data with this tool though, and the interface is pretty straightforward - call me crazy, but for some things I might end up preferring it over Wireshark!  Though my CLI bias is still firmly in place - TCPDump and other CLI/scripting tools are still my solid go-to once there's more than a few thousand packets.

Next chance I get I'm digging into how PowerShell can be used to work some automation goodness into this process.  More on this here:
https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx
https://blogs.technet.microsoft.com/messageanalyzer/2013/10/29/using-powershell-to-automate-tracing/

Lots of MS Message Analyzer tid-bits can be found at:  https://blogs.technet.microsoft.com/messageanalyzer

Have you done something way cool with Message Analyzer?  Please, share using our comment form!

===============
Rob VandenBrink
Compugen

1 comment(s)
ISC Stormcast For Thursday, April 13th 2017 https://isc.sans.edu/podcastdetail.html?id=5456

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives