This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I would like to check which connections and where to a program did, but I have problems setting Wireshark up. HTTP only connections aren't enough, I want to see if it does more than it.

I don't even know where to see which program did specific traffic in Wireshark so I would really appreciate help. Although I know about Wireshark since months and use it a few times I'm not pro in it.

Greetings

asked 04 Jul '13, 13:23

Metro2033's gravatar image

Metro2033
11113
accept rate: 0%

Start program through Sandbox and watch traffic made by it

if you start the program in a sandbox, why do you need Wireshark? The sandbox tool should tell you all connections opened by the program.

(04 Jul '13, 14:55) Kurt Knochner ♦

Wireshark does not have the capability to show which process generated traffic, it can only capture the traffic.

If you're running on Windows, Network Monitor from MS can show the process involved with the traffic.

The command line program netstat and the appropriate options for your OS can show which process is using current socket connections.

permanent link

answered 04 Jul '13, 13:35

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks a lot for your fast reply... Well, alright. Can Network Monitor also show the capture traffic of an program "before it even start"? Since the program is genereating the most traffic while starting I'm not fast enough to catch it and then show the traffic.

(04 Jul '13, 13:40) Metro2033

What do you mean "before it even start". Network Monitor (and Wireshark) will capture traffic from the point at which you ask it to start capturing. If this is after a program has started sending traffic, then that traffic won't be captured, only traffic after the start of capture.

If the program runs at system start-up then you will have to look at capturing off the local machine, e.g. by using the port-mirroring or span option of a switch connected to the target host and another machine running the capture. See the Ethernet Capturing Setup page on the Wiki for more info.

(04 Jul '13, 13:46) grahamb ♦

Well, since the program connects to whatever it does very fast and right when it start it's hard to make Network Monitor only show traffic made by this programm. Can Network Monitor monitor the network all the time (before the program has been start) and when the program is started capture it, and then I can take a look. Hopefully you understand it now a little bit more hehe. Thanks

(04 Jul '13, 13:50) Metro2033

Not that I know of. You'll have to move to capturing off the target machine as I suggested above. When doing this you won't be able to get process info though.

(04 Jul '13, 14:08) grahamb ♦

Oh, I haven't seen that second part of your message, sorry... Anyway, the program is not running from auto start, but I will read into Ethernet Capturing tomorrow. Do you have any other suggestions I could try tomorrow then? In case this will cause problems / don't work

(04 Jul '13, 14:16) Metro2033

If the program doesn't auto-start then it sounds as though you should be able to control the start-up to wait for you to get a capturing program running.

If you still can't achieve that then you'll have to capture off machine using another solution such as I've suggested.

(05 Jul '13, 01:41) grahamb ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×115
×23
×10
×1

question asked: 04 Jul '13, 13:23

question was seen: 2,475 times

last updated: 05 Jul '13, 01:41

p​o​w​e​r​e​d by O​S​Q​A