[Winpcap-users] Winpcap-users Digest, Vol 64, Issue 14
shupatest shupatest
shupatest at gmail.com
Tue Jul 13 10:46:00 PDT 2010
Sent from my Windows Phone
-----Original Message-----
From: winpcap-users-request at winpcap.org
Sent: Saturday, July 10, 2010 12:00 PM
To: winpcap-users at winpcap.org
Subject: Winpcap-users Digest, Vol 64, Issue 14
Send Winpcap-users mailing list submissions to
winpcap-users at winpcap.org
To subscribe or unsubscribe via the World Wide Web, visit
https://www.winpcap.org/mailman/listinfo/winpcap-users
or, via email, send a message with subject or body 'help' to
winpcap-users-request at winpcap.org
You can reach the person managing the list at
winpcap-users-owner at winpcap.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Winpcap-users digest..."
Today's Topics:
1. Re: using Network Monitor versus WinPCap for real timenetwork
usage statistics monitoring/capture? (Guy Harris)
2. Re: using Network Monitor versus WinPCap for real timenetwork
usage statistics monitoring/capture? (Guy Harris)
3. Re: using Network Monitor versus WinPCap for real timenetwork
usage statistics monitoring/capture? (Greg Hauptmann)
4. Re: using Network Monitor versus WinPCap for real timenetwork
usage statistics monitoring/capture? (Greg Hauptmann)
5. Re: using Network Monitor versus WinPCap for real timenetwork
usage statistics monitoring/capture? (Guy Harris)
----------------------------------------------------------------------
Message: 1
Date: Fri, 9 Jul 2010 16:29:40 -0700
From: Guy Harris <guy at alum.mit.edu>
Subject: Re: [Winpcap-users] using Network Monitor versus WinPCap for
real timenetwork usage statistics monitoring/capture?
To: winpcap-users at winpcap.org
Message-ID: <6EC3C54F-7C87-4F1B-B80D-A764FFCAF608 at alum.mit.edu>
Content-Type: text/plain; charset=us-ascii
On Jul 9, 2010, at 4:13 PM, Greg Hauptmann wrote:
> Any other ideas (noting Q1 answer) re how to monitor/track network usage on a per PC application/process basis then? Is it perhaps an unachievable thing?
To the extent that it's achievable, you'd probably end up doing it the
same way I suspect Network Monitor does. At least as I read the
NetMon blog:
http://blogs.technet.com/b/netmon/archive/2008/09/17/network-monitor-3-2-has-arrived.aspx
they probably do it by looking up remote IP address/port/protocol
information in the OS's table of sockets to see what process, if any,
has that socket:
PaulELong 7 Oct 2008 10:09 PM
NM3.2 will poll the current state of processes when it detects UDP or
TCP traffic that has not been associated. It's possible a process has
disappeared by the time we query the state.
We do some caching and the timing may be further tunable, but there
may be some situations where we miss the process because it is no
longer around when we query the state.
I'll have to play around with DNS in general, but I think there
should be some situations where it does capture DNS traffic to a
process.
Paul
They might use the IP Helper API:
http://msdn.microsoft.com/en-us/library/aa366073(v=VS.85).aspx
to fetch the TCP and UDP connection tables:
http://msdn.microsoft.com/en-us/library/aa366344(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa366026(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa366033(v=VS.85).aspx
------------------------------
Message: 2
Date: Fri, 9 Jul 2010 18:19:28 -0700
From: Guy Harris <guy at alum.mit.edu>
Subject: Re: [Winpcap-users] using Network Monitor versus WinPCap for
real timenetwork usage statistics monitoring/capture?
To: winpcap-users at winpcap.org
Message-ID: <599012DF-BF29-4887-A31E-CB94578BFD21 at alum.mit.edu>
Content-Type: text/plain; charset=us-ascii
On Jul 9, 2010, at 4:29 PM, Guy Harris wrote:
> to fetch the TCP and UDP connection tables:
>
> http://msdn.microsoft.com/en-us/library/aa366344(v=VS.85).aspx
>
> http://msdn.microsoft.com/en-us/library/aa366026(v=VS.85).aspx
>
> http://msdn.microsoft.com/en-us/library/aa366033(v=VS.85).aspx
And
http://msdn.microsoft.com/en-us/library/aa365928(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa365930(VS.85).aspx
------------------------------
Message: 3
Date: Sat, 10 Jul 2010 12:26:31 +1000
From: Greg Hauptmann <greg.hauptmann.ruby at gmail.com>
Subject: Re: [Winpcap-users] using Network Monitor versus WinPCap for
real timenetwork usage statistics monitoring/capture?
To: winpcap-users at winpcap.org
Message-ID:
<AANLkTinBQ5S_QAqoIfVdvo9IW5fiyxrxQzyUi-cGbJV0 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
thanks - I'll try to dig into this info
On 10 July 2010 11:19, Guy Harris <guy at alum.mit.edu> wrote:
>
> On Jul 9, 2010, at 4:29 PM, Guy Harris wrote:
>
> > to fetch the TCP and UDP connection tables:
> >
> > http://msdn.microsoft.com/en-us/library/aa366344(v=VS.85).aspx
> >
> > http://msdn.microsoft.com/en-us/library/aa366026(v=VS.85).aspx
> >
> > http://msdn.microsoft.com/en-us/library/aa366033(v=VS.85).aspx
>
> And
>
> http://msdn.microsoft.com/en-us/library/aa365928(VS.85).aspx
>
> http://msdn.microsoft.com/en-us/library/aa365930(VS.85).aspx
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
--
Greg
http://blog.gregnet.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20100710/5b2bc2f1/attachment-0001.htm
------------------------------
Message: 4
Date: Sat, 10 Jul 2010 20:32:35 +1000
From: Greg Hauptmann <greg.hauptmann.ruby at gmail.com>
Subject: Re: [Winpcap-users] using Network Monitor versus WinPCap for
real timenetwork usage statistics monitoring/capture?
To: winpcap-users at winpcap.org
Message-ID:
<AANLkTim5T0mA9I2P8qEM02LI1LcZ9F36IingFU3hWHAc at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Having a few issues digesting the info - mind if I ask:
1) Re trying to access MIB_TCPSTATS (for GetTcpStatistics) & MIB_TCPTABLE
(for GetExtendedTcpTable) do you know how to find out where these reside on
a Windows PC (i.e. whereabouts in the MIB hierarchy)? That is, noting I'm
running OidViewProfessional how would I navigate to these MIBs to see what
my current PC is storing in values? (i.e. to see what sort of values are in
there)
2) Re "do it by looking up remote IP address/port/protocol information in
the OS's table of sockets to see what process, if any, has that socket" - do
I assume by this you mean access the above-mentioned MIBs via use of the
above-mentioned IP Helper Functions? I can't see from the doco how these
tables would be used to obtain per application/process network usage
figures? It would be great if you could clarify what you mean by this in a
little more detail?f i.e. what doco are you reading whereby it would give
the clarity that it is possible to get access to per application/process
network usage statistics?
thanks
On 10 July 2010 12:26, Greg Hauptmann <greg.hauptmann.ruby at gmail.com> wrote:
> thanks - I'll try to dig into this info
>
>
> On 10 July 2010 11:19, Guy Harris <guy at alum.mit.edu> wrote:
>
>>
>> On Jul 9, 2010, at 4:29 PM, Guy Harris wrote:
>>
>> > to fetch the TCP and UDP connection tables:
>> >
>> > http://msdn.microsoft.com/en-us/library/aa366344(v=VS.85).aspx
>> >
>> > http://msdn.microsoft.com/en-us/library/aa366026(v=VS.85).aspx
>> >
>> > http://msdn.microsoft.com/en-us/library/aa366033(v=VS.85).aspx
>>
>> And
>>
>> http://msdn.microsoft.com/en-us/library/aa365928(VS.85).aspx
>>
>> http://msdn.microsoft.com/en-us/library/aa365930(VS.85).aspx
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>
>
>
> --
> Greg
> http://blog.gregnet.org/
>
>
>
--
Greg
http://blog.gregnet.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20100710/b881a78b/attachment-0001.htm
------------------------------
Message: 5
Date: Sat, 10 Jul 2010 05:26:02 -0700
From: Guy Harris <guy at alum.mit.edu>
Subject: Re: [Winpcap-users] using Network Monitor versus WinPCap for
real timenetwork usage statistics monitoring/capture?
To: winpcap-users at winpcap.org
Message-ID: <C97CC9FF-FDF4-451A-8889-DD0718AF61FB at alum.mit.edu>
Content-Type: text/plain; charset=us-ascii
On Jul 10, 2010, at 3:32 AM, Greg Hauptmann wrote:
> Having a few issues digesting the info - mind if I ask:
>
> 1) Re trying to access MIB_TCPSTATS (for GetTcpStatistics) & MIB_TCPTABLE (for GetExtendedTcpTable) do you know how to find out where these reside on a Windows PC (i.e. whereabouts in the MIB hierarchy)? That is, noting I'm running OidViewProfessional how would I navigate to these MIBs to see what my current PC is storing in values? (i.e. to see what sort of values are in there)
I have no idea.
> 2) Re "do it by looking up remote IP address/port/protocol information in the OS's table of sockets to see what process, if any, has that socket" - do I assume by this you mean access the above-mentioned MIBs via use of the above-mentioned IP Helper Functions? I can't see from the doco how these tables would be used to obtain per application/process network usage figures?
I wasn't saying you'd use that to obtain per-process or
per-applicaiton network usage figures.
I was saying that you'd use that to associate particular packets with
the processes that probably sent or received those processes, and
compute the statistics yourself based on that. That's probably what
Network Monitor does to give you statistics like that.
If all you care about are packet counts maintained by the OS, rather
than the actual packet *contents*, then either a WinPcap-based
application *or* Network Monitor might be overkill. However, a quick
look at Task Manager in Windows XP doesn't appear to indicate that it
can show per-process network statistics, so, at least in XP, there
might not be APIs to get those statistics directly. A quick look at
the Sysinternals site:
http://technet.microsoft.com/en-us/sysinternals/default.aspx
didn't show any obvious app of that sort.
------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
End of Winpcap-users Digest, Vol 64, Issue 14
*********************************************
More information about the Winpcap-users
mailing list