This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to capture traffic for a specific program?

2

If I suspect a certain program or programs is a keylogger, can i capture just packets coming going in and out of that program? or possibly slect multiple programs and capture only data coming to/from them?

I don't know if it's possible for programs to pass use your browser to transfer data, is it possible? so maybe it won't help much but I'd like to get some info on that

Thanx in advance

asked 26 Apr '11, 12:02

fiftyeight's gravatar image

fiftyeight
31114
accept rate: 0%


2 Answers:

3

You might be able to achieve close to what you want by first using something like netstat to find the source and destination IP:port pairs that the program of interest is using. On Windows (with cygwin installed for grep), the following should produce some useful output:

netstat -bn | grep -B 1 <program>

... where <program> should be substituted for the actual program name of interest.

Keep in mind though that netstat will only give you a snapshot of connections at the time the command was run.

answered 26 Apr '11, 16:30

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

On Ubuntu/Linux, that was sudo netstat -n --program|grep <program> for me.

(04 Jul '14, 01:35) Vics

1

On windows you can use Netmon which can categorize traffic by application.

answered 26 Apr '11, 23:32

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

It indeed shows the processes and seems like a good program, the problem is it doesn't show the process' path, is there a way to do it?

(27 Apr '11, 07:28) fiftyeight
1

Good point Sake. And that reminds me - there is a bug filed in Wireshark's bugzilla, bug 1184, to add this capability to Wireshark. Gerald did some early work on this way back in 2001, but it hasn't received any TLC since then.

(27 Apr '11, 07:30) cmaynard ♦♦

@fiftyeight, I haven't used netmon in a long time, so I don't know if it can provide the process' path or not, but in a pinch, maybe something like netstat -bnv will help you?

(27 Apr '11, 07:53) cmaynard ♦♦

Well, I don't think you can show the full path in netmon itself, but next to the executable name, there is the process ID in parentices. If you add the columns "PID" and "Image Path Name" to your Task Manager Processes list, you're all set to look up the path of the executable.

(27 Apr '11, 08:18) SYN-bit ♦♦
1

You might also try using Process Explorer in addition to or instead of Task Manager. There's also Process Monitor.

(27 Apr '11, 08:31) cmaynard ♦♦

guess a combination of all these can do the job, but for some reason netstat, and also TCPView and CurrPorts which I have tried list some processes as unknown and I don't really understand why, guess I'll need to do some more research,

I also found a program called SocketSniff that seems to monitor the data coming out of a specific process

the answers here have been gr8, thanks a lot!

(27 Apr '11, 12:39) fiftyeight

@cmaynard repeated your answer here. http://askubuntu.com/a/573943/368900

(14 Jan '15, 20:42) jtmoon1979
showing 5 of 7 show 2 more comments