This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tracing packet to receiving or transmitting file/program

0

Is it possible to trace a packet to the source of its destination within the host machine?

AKA Packet 7642 OUTBOUND from HOST(wow.exe) to IP-ADDRESS. Packet 7643 INBOUND from IP-ADDRESS to HOST(Chrome.exe)

asked 07 Dec '13, 10:24

JourneyJay's gravatar image

JourneyJay
11224
accept rate: 0%


One Answer:

0

I'm not sure I understand the question. Applications don't communicate to each other within the host via IP packets in this way unless you're talking about virtual machines within the host.

For mapping the application to packets that are leaving the host, the IP and port number (the socket) would be a good indicator. Some applications give themselves away a bit too, such as the "user agent" value in HTTP packets that indicate the browser in use. This isn't foolproof though, and the packet itself certainly wouldn't be enough to derive the executable file on the source computer that ultimately had the packet sent.

answered 07 Dec '13, 18:11

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

If the PC is capable of directing the packets to an application, then it must also be possible to figure out which application is send/receiving the information. You did not answer my question.

HOST = "Your IP"

(07 Dec '13, 23:18) JourneyJay

Wireshark can't (currently) do that, but Message Analyzer (formerly Network monitor) from Microsoft can.

(08 Dec '13, 05:03) grahamb ♦

JourneyJay, the host recognizes the IP packet as belonging to a given TCP or a UDP port that an application is listening on. The host knows its own state information for what applications have what sessions running on what ports, and so when it gets an IP packet for destination port 80 (for example), and if it's a web server, it would pass that to the web server application that is "listening" on that port.

In order to look at a packet on its own and definitively say what program is using it on the host, you need to have the awareness of that computer's operating system, not just the packet.

In that example, is the computer running Apache or Microsoft IIS? Both would normally expect to see new TCP sessions built on port 80 for client HTTP requests, and Wireshark can surmise that port 80 should call the HTTP dissector, but with that IP packet there is no way to drill down into the operating system of the receiver of the packet to say what application is listening on that port.

(08 Dec '13, 09:16) Quadratic