This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Start program through Sandbox and watch traffic made by it

0

Hi,

I would like to check which connections and where to a program did, but I have problems setting Wireshark up. HTTP only connections aren't enough, I want to see if it does more than it.

I don't even know where to see which program did specific traffic in Wireshark so I would really appreciate help. Although I know about Wireshark since months and use it a few times I'm not pro in it.

Greetings

asked 04 Jul '13, 13:23

Metro2033's gravatar image

Metro2033
11113
accept rate: 0%

Start program through Sandbox and watch traffic made by it

if you start the program in a sandbox, why do you need Wireshark? The sandbox tool should tell you all connections opened by the program.

(04 Jul '13, 14:55) Kurt Knochner ♦

One Answer:

2

Wireshark does not have the capability to show which process generated traffic, it can only capture the traffic.

If you're running on Windows, Network Monitor from MS can show the process involved with the traffic.

The command line program netstat and the appropriate options for your OS can show which process is using current socket connections.

answered 04 Jul '13, 13:35

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks a lot for your fast reply... Well, alright. Can Network Monitor also show the capture traffic of an program "before it even start"? Since the program is genereating the most traffic while starting I'm not fast enough to catch it and then show the traffic.

(04 Jul '13, 13:40) Metro2033

What do you mean "before it even start". Network Monitor (and Wireshark) will capture traffic from the point at which you ask it to start capturing. If this is after a program has started sending traffic, then that traffic won't be captured, only traffic after the start of capture.

If the program runs at system start-up then you will have to look at capturing off the local machine, e.g. by using the port-mirroring or span option of a switch connected to the target host and another machine running the capture. See the Ethernet Capturing Setup page on the Wiki for more info.

(04 Jul '13, 13:46) grahamb ♦

Well, since the program connects to whatever it does very fast and right when it start it's hard to make Network Monitor only show traffic made by this programm. Can Network Monitor monitor the network all the time (before the program has been start) and when the program is started capture it, and then I can take a look. Hopefully you understand it now a little bit more hehe. Thanks

(04 Jul '13, 13:50) Metro2033

Not that I know of. You'll have to move to capturing off the target machine as I suggested above. When doing this you won't be able to get process info though.

(04 Jul '13, 14:08) grahamb ♦

Oh, I haven't seen that second part of your message, sorry... Anyway, the program is not running from auto start, but I will read into Ethernet Capturing tomorrow. Do you have any other suggestions I could try tomorrow then? In case this will cause problems / don't work

(04 Jul '13, 14:16) Metro2033

If the program doesn't auto-start then it sounds as though you should be able to control the start-up to wait for you to get a capturing program running.

If you still can't achieve that then you'll have to capture off machine using another solution such as I've suggested.

(05 Jul '13, 01:41) grahamb ♦
showing 5 of 6 show 1 more comments