[Winpcap-users] using Network Monitor versus WinPCap for real timenetwork usage statistics monitoring/capture?
Greg Hauptmann
greg.hauptmann.ruby at gmail.com
Thu Jul 15 22:35:26 PDT 2010
On 10 July 2010 22:26, Guy Harris <guy at alum.mit.edu> wrote:
>
>> 2) Re "do it by looking up remote IP address/port/protocol information in the OS's table of sockets to see what process, if any, has that socket" - do I assume by this you mean access the above-mentioned MIBs via use of the above-mentioned IP Helper Functions? I can't see from the doco how these tables would be used to obtain per application/process network usage figures?
>
> I wasn't saying you'd use that to obtain per-process or per-applicaiton network usage figures.
>
> I was saying that you'd use that to associate particular packets with the processes that probably sent or received those processes, and compute the statistics yourself based on that. That's probably what Network Monitor does to give you statistics like that.
How's this as a best guess to how one would do the correlation?
(haven't coded it to try yet)
* From the packet captured, get the source & destination IP address
and TCP ports
* Iterate through the rows from IP Helper "GetTcpTable" until you find
a match for all 4 (four) source & destination IP address and ports
numbers
Any comments re whether this would be the most robust way to do the
correlation? I'm guessin gthat you'd have to be doing the
correlation in real time to ensure the TcpTable entry didn't drop
away?
More information about the Winpcap-users
mailing list