1

I need to get process name that's trying to access external IPs. These processess can be malware or updates, they are short lived so netstat or resource monitor can not be used. I've tried MS Message Analyzer but I get bad results (Idle process is listed the most). Is there other tool or procedure that I could try?

I followed this article to configure Message Analizer.

This is output of netmon:

  • All Traffic
    • My Traffic
  • Unavailable (3020)
  • Unavailable (1788)
  • taskhost.exe (704)
  • Unavailable (600) +
  • Unavailable (3048)
  • Unavailable (360)
    • IPv4 (xx.xx.xx.xx - 23.0.174.16) ConvID = 162
    • IPv4 (xx.xx.xx.xx - 23.0.174.8) ConvID = 166
    • IPv4 (xx.xx.xx.xx - 23.0.174.19) ConvID = 171
    • IPv4 (xx.xx.xx.xx - 23.0.174.27) ConvID = 175
    • IPv4 (xx.xx.xx.xx - 23.0.174.35) ConvID = 181
    • IPv4 (xx.xx.xx.xx - 5.22.191.202) ConvID = 195
    • IPv4 (xx.xx.xx.xx - 5.22.191.201) ConvID = 199
    • IPv4 (xx.xx.xx.xx - 5.22.191.233) ConvID = 203
    • IPv4 (xx.xx.xx.xx - 5.22.191.227) ConvID = 207
    • IPv4 (xx.xx.xx.xx - 5.22.191.217) ConvID = 211
    • IPv4 (xx.xx.xx.xx - 193.77.14.137) ConvID = 232
    • IPv4 (xx.xx.xx.xx - 193.77.14.171) ConvID = 236

I don't get this in Resource monitor. These IP's are strange, I do not surf on server during monitoring.

malibeg
  • 125

1 Answers1

1

You can use Process Monitor (procmon) for this. Download link: https://technet.microsoft.com/en-gb/sysinternals/bb896645

Once you open it, set some filters for network only stuff. If you have multiple network interfaces, you could use these:

Operation | is | TCP Send | then Include

Operation | is | UDP Send | then Include

Path | contains | 127.0.0.1 | then Exclude

(I'm assuming you don't care about accessing the loopback address)

If you have only one network interface, or only one you care about, you can set the filter to:

Path | begins with | x.x.x.x | then include

Where x.x.x.x is the local interface's IP address.

You can filter it further from here, by excluding known good processes, or excluding DNS request packets/acks/etc. You can let it run for as long as you want, but keep an eye on memory usage. By default, it'll keep 199 million events in the loop and you may want to turn this up or down. At the end of the day, you can browse the list manually, or go to Tools -> Network Summary and filter by individual IP addresses.

Neil
  • 852