Already youre thinking, did I read that right? The answer is nope, you absolutely can capture by Windows Process, just not with Windump or Wireshark. A while back I wrote a short diary about using NETSH to capture packets ( https://isc.sans.edu/diary/19409 ), and this story builds on that one.
A quick recap – to capture packets using NETSH, for a basic capture youd do something like:
netsh trace start capture=yes tracefile=c:temptrace.etl
Then to stop the capture, execute:
netsh trace stop
Before we proceed, get the process details for the app you are trying to track. Some thing as simple as:
tasklist tasklist.out
will give you the list of windows processes and the process numbers.
You can get much more detail from sysinternals tools like Process Monitor, or better yet, Process Explorer. width:856px” />
In this case Im chasing the packets from Ciscos AnyConnect VPN client. In the Process Explorer screeshot above, the associated processes are mixed in with those from the legacy IPSEC VPN client. This is easy enough to filter out in Wireshark if you know what the process does, but what you are looking for in a lot of cases is what *else the process is doing? Is it phoning home for updates? Is it phoning home to share information that you dont want shared? For a VPN client you know what you are connecting to (so that part is easy to filter if you were using Wireshark), but what else is it doing?
On to analyzing the captured data by application or process. Instead of exporting the whole works to pcap format, open the NETSH output in Microsoft Message Analyzer, Microsoft width:900px” />
The right had pane looks pretty familiar, complete with a network tuple style filter at the top. The left hand pane however is where were looking today. Thats what I call the filter by other stuff window. Lets trim the criteria down to the Process Name and Process ID (or you could just pick one or the other, it comes to the same thing since each process name has a unique process number).
Now, pick the target application, and the associated messages will appear in the right hand pane. Wait, messages? Yes, what youll see in the right hand pane is a mix of packets in and out of the application, as well as the Windows Events that are generated by the application – bet you weren width:1114px” />
If you click on a message, you width:820px” />
You see in the screenshot below that each packet is broken up heirarchally like youd expect – my VPN traffic is fully represented, right down to the 802.11 wireless frames that are associated with the application. In OSI speak, as you click on each layer in the packet or frame, you width:1176px” />
And as youd expect, clicking any of the layers width:866px” />
Want to export to pcap format? You can write a filter for the display window, or simply highlight a number of records, then choose File / Save As / Export. I found that it was pretty easy to confuse the export process – a few null content files got me past this, it does work nicely. Just don width:487px” />
Then simply open the resulting CAP file in Wireshark or whatever analyze the pcap width:1030px” />
This is a very basic example – Im just starting with Message Analyzer. There seems to be no end to how deep you can dig into the data with this tool though, and the interface is pretty straightforward – call me crazy, but for some things I might end up preferring it over Wireshark! Though my CLI bias is still firmly in place – TCPDump and other CLI/scripting tools are still my solid go-to once theres more than a few thousand packets.
Next chance I get Im digging into how PowerShell can be used to work some automation goodness into this process. More on this here:
https://technet.microsoft.com/en-us/library/dn456518(v=wps.630).aspx
https://blogs.technet.microsoft.com/messageanalyzer/2013/10/29/using-powershell-to-automate-tracing/
Lots of MS Message Analyzer tid-bits can be found at: https://blogs.technet.microsoft.com/messageanalyzer
Have you done something way cool with Message Analyzer? Please, share using our comment form!
===============
Rob VandenBrink
Compugen
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.