[Winpcap-users] using Network Monitor versus WinPCap for real timenetwork usage statistics monitoring/capture?
Guy Harris
guy at alum.mit.edu
Fri Jul 9 16:29:40 PDT 2010
On Jul 9, 2010, at 4:13 PM, Greg Hauptmann wrote:
> Any other ideas (noting Q1 answer) re how to monitor/track network usage on a per PC application/process basis then? Is it perhaps an unachievable thing?
To the extent that it's achievable, you'd probably end up doing it the same way I suspect Network Monitor does. At least as I read the NetMon blog:
http://blogs.technet.com/b/netmon/archive/2008/09/17/network-monitor-3-2-has-arrived.aspx
they probably do it by looking up remote IP address/port/protocol information in the OS's table of sockets to see what process, if any, has that socket:
PaulELong 7 Oct 2008 10:09 PM
NM3.2 will poll the current state of processes when it detects UDP or TCP traffic that has not been associated. It's possible a process has disappeared by the time we query the state.
We do some caching and the timing may be further tunable, but there may be some situations where we miss the process because it is no longer around when we query the state.
I'll have to play around with DNS in general, but I think there should be some situations where it does capture DNS traffic to a process.
Paul
They might use the IP Helper API:
http://msdn.microsoft.com/en-us/library/aa366073(v=VS.85).aspx
to fetch the TCP and UDP connection tables:
http://msdn.microsoft.com/en-us/library/aa366344(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa366026(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa366033(v=VS.85).aspx
More information about the Winpcap-users
mailing list