This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trying to identify the source of some traffic

0

Hi there.

I'm trying to use Wireshark to identify whatever software is behind some traffic on my PC. Unfortunately, while I've identfied some likely packets, I know virtually nothing about how to read them. I can't see anything immediately obvious, so can someone tell me how, if it's even possible?

A little background: I have another PC on my home LAN which is acting as a media centre and network storage. I want it to go to sleep whenever it's not busy, but I also want it to wake on LAN whenever the other computers in the house need to access it. At the moment, it's set to sleep after 10 minutes, but when any of the other computers in the house are turned on, the media PC tends to be woken up almost immediately after going to sleep - typically between 30 seconds and 2 minutes. I want to find out what software or function is causing the other PCs to wake the media PC so that I can stop it from happening so often.

I've watched the media PC wake from sleep and then looked for packets sent to that PC at the same time as it woke up. I've got four particular packets which I guess are responsible for the wakeup: looking in the Info field in Wireshark, they're all the same, apart from the source port. Here's an example:

50666 > wsdapi [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

I'm assuming that there isn't enough information in the info field to tell me what's actually sending the packet. I've looked through the full details for one of these packets and I don't recognise anything in it as the originating software, but as I said, I don't know enough to know what I'm looking for, if it's even in there.

Can someone please advise me? Is it possible to identify the software sending these wake-up packets? If so, how? I've saved one of the capture files, so I assume that I can strip out the four packets I've flagged and post them in here if that's useful.

Thanks in advance,

Neil.

asked 21 Jul '13, 10:34

NJMorf's gravatar image

NJMorf
16114
accept rate: 0%

If you can access the sending device e.g. another PC simply go for netstat in a console window like cmd.exe under Windows.

Netstat can show the associated Process ID for the network sessions, especially for TCP connections. Just lookup the port numbers there and then you have at least the process initiating the connection you're looking for

(21 Jul '13, 12:33) Landi

OK, thanks, I'll try that too.

(21 Jul '13, 13:36) NJMorf

One Answer:

2

Wireshark can't (at present) identify which process is transmitting traffic, so only using Wireshark you would have to identify the process from inspecting the traffic.

The (minimal) traffic details you have posted show the process is attempting to open a connection (the SYN) to the NAS. The destination port is the one used for wsdapi a protocol used for accessing printers and file shares so you might be on the right track.

Network Monitor from Microsoft can associate the traffic with the sending process, so using that would help you somewhat, but I think it likely that the traffic will be coming from a system process and thus from a 'host' process that is home to a few services.

answered 21 Jul '13, 10:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

OK, thanks for the pointers. I've installed Network Monitor, I'll see what it can tell me.

(21 Jul '13, 12:46) NJMorf