有多种方法可以确定哪个进程正在计算机系统中发送tcp / udp通信,但对于icmp通信却不多。
这是实现方法的摘要。
1.安装本地防火墙
您始终可以尝试安装阻止传出流量的防火墙或使用Windows防火墙。生成流量后,它可能会提示您询问是否要允许它。在许多情况下,它会告诉您是什么应用程序在生成流量。
2.命令
2.1 Netstat命令
Netstat命令对于tcp / udp通信非常有用。
例如: netstat -tabn 10 |找到“:80”
NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [间隔]
-a 显示所有连接和侦听端口。
-b 显示创建每个连接所涉及的可执行文件或
监听端口。在某些情况下,知名的可执行文件主机
多个独立组件,在这种情况下,
创建连接所涉及的组件顺序
或显示侦听端口。在这种情况下,可执行文件
名称在底部的[]中,顶部是其调用的组件,
依此类推,直到达到TCP / IP。请注意,此选项
可能很耗时,除非您有足够的能力,否则它将失败
permissions.
-e 显示以太网统计信息。这可能与-s结合使用
option.
-f 显示外部的完全限定域名(FQDN)
addresses.
-n 以数字形式显示地址和端口号。
-o 显示与每个连接关联的拥有进程ID。
-p proto 显示proto指定的协议的连接;原型
可以是以下任意一种:TCP,UDP,TCPv6或UDPv6。 If used with the -s
显示按协议统计信息的选项,协议可以是以下任意一种:
IP,IPv6,ICMP,ICMPv6,TCP,TCPv6,UDP或UDPv6。
-r 显示路由表。
-s 显示每个协议的统计信息。 默认情况下,统计信息是
显示的是IP,IPv6,ICMP,ICMPv6,TCP,TCPv6,UDP和UDPv6;
-p选项可用于指定默认值的子集。
-t 显示当前连接卸载状态。
interval 重新显示选定的统计信息,暂停间隔秒
每个显示之间。 按CTRL + C停止重新显示
statistics. 如果省略,netstat将打印当前
配置信息一次。
但是对于icmp流量,它只能显示统计信息。它无法显示进程名称,就像udp / tcp流量一样。
C:\测试>netstat -s -p icmp
ICMPv4统计
Received Sent
Messages 3794 20504
Errors 0 0
无法到达目的地 39 484
Time Exceeded 3 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echo Replies 3750 2
Echos 2 20018
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
地址掩码回复 0 0
路由器请求 0 0
路由器广告 0 0
2.2 视窗 Sysinternals Suite tools
视窗 sysinternals套件提供了一些有用的工具,以显示哪个进程正在使用通常与icmp通信有关的某些dll文件。
我们可以使用listdlls或进程资源管理器来确定哪些进程已加载了这些库。一张一张地挂起它们,并注意ICMP流量何时停止。
C:\Documents and Settings\user>listdlls -d icmp ListDLLs v3.1 - List loaded DLLs Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com ---------------------------------------------------------------- Belkinwcui.exe pid: 2484 Command line: "C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe" Base Size Path 0x74290000 0x4000 ICMP.DLL
使用tasklist命令(请参阅下文)来确定哪些进程已加载了iphlpali.dll或icmp.dll(例如,我发现ping.exe仅使用iphlpapi.dll,而tarcert.exe同时使用了两者)
C:\测试>任务列表/ M Iphlpapi.dll
图片名称 PID Modules
=================================================== ==========================
chrome.exe 8568 IPHLPAPI.DLL
chrome.exe 168 IPHLPAPI.DLL
chrome.exe 7600 IPHLPAPI.DLL
chrome.exe 3620 IPHLPAPI.DLL
chrome.exe 6820 IPHLPAPI.DLL
chrome.exe 8616 IPHLPAPI.DLL
chrome.exe 7576 IPHLPAPI.DLL
chrome.exe 6624 IPHLPAPI.DLL
chrome.exe 8128 IPHLPAPI.DLL
任务主机 7048 IPHLPAPI.DLL
splwow64.exe 7440 IPHLPAPI.DLL
chrome.exe 8572 IPHLPAPI.DLL
chrome.exe 8144 IPHLPAPI.DLL
chrome.exe 6164 IPHLPAPI.DLL
OSPPSVC.EXE 8048 IPHLPAPI.DLL
可执行文件 4272 IPHLPAPI.DLL
C:\测试>任务列表/ M Iphlpapi.dll
图片名称 PID Modules
=================================================== ==========================
lsass.exe 604 IPHLPAPI.DLL
svchost.exe 912 IPHLPAPI.DLL
svchost.exe 968 IPHLPAPI.DLL
svchost.exe 992 IPHLPAPI.DLL
svchost.exe 336 IPHLPAPI.DLL
svchost.exe 608 IPHLPAPI.DLL
svchost.exe 1228 iphlpapi.dll
svchost.exe 1320 IPHLPAPI.DLL
wlanext.exe 1352 IPHLPAPI.DLL
后台程序 1560 IPHLPAPI.DLL
btwdins.exe 1860 IPHLPAPI.DLL
OfficeClickToRun.exe 1884 IPHLPAPI.DLL
svchost.exe 2004 IPHLPAPI.DLL
EvtEng.exe 2036 IPHLPAPI.DLL
SwiCardDetect64.exe 2588 IPHLPAPI.DLL
WmiPrvSE.exe 1704 IPHLPAPI.DLL
svchost.exe 4316 IPHLPAPI.DLL
资源管理器 4108 IPHLPAPI.DLL
BTStackServer.exe 5632 IPHLPAPI.DLL
svchost.exe 1868 IPHLPAPI.DLL
chrome.exe 8536 IPHLPAPI.DLL
chrome.exe 7816 IPHLPAPI.DLL
跟踪文件 9000 iphlpapi.DLL
C:\测试>tasklist /M icmp.dll
图片名称 PID Modules
=================================================== ==========================
跟踪文件 9000 icmp.dll
3. Netsh命令执行低级捕获网络流量
您可以使用NDIS层上可用的新的内置ETL跟踪。您需要做的就是开始一个新的ETL数据包捕获会话。此方法甚至不需要安装任何嗅探软件(网络监视器/ Wireshark等)。您也可以使用此选项在Windows 7 / 视窗 2008 R2上进行常规数据包捕获:
netsh跟踪开始捕获=是tracefile = c:\ test \ c1.etl
netsh跟踪停止
Microsoft Message Analyzer使您可以捕获,显示和分析协议消息传递流量;并跟踪和评估Windows组件中的系统事件和其他消息。
4. Microsoft邮件分析器
5. Some 视窗 Sysinternals Suite tools
TCP视图
Procexp
Sysmon收集网络连接
安装:
sysmon -i -accepteula [选项]
- 将二进制文件提取到%systemroot%
- 注册事件日志清单
- 启用默认配置
查看和更新配置:
sysmon -c [选项]
- 更新立即生效
- 选项可以是基本选项或配置文件
注册事件清单仅用于查看日志:
sysmon -m
卸载:
sysmon -u
C:\ISOScripting>sysmon64 -i -accepteula
System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.
C:\ISOScripting>sysmon64 -c System Monitor v7.02 - System activity monitor Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Current configuration: - Service name: Sysmon64 - Driver name: SysmonDrv - HashingAlgorithms: SHA1 - 网络 connection: disabled - Image loading: disabled - CRL checking: disabled - Process Access: disabled No rules installed
C:\ISOScripting>sysmon64 -c -n System Monitor v7.02 - System activity monitor Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Configuration updated. C:\ISOScripting>sysmon64 -c System Monitor v7.02 - System activity monitor Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Current configuration: - Service name: Sysmon64 - Driver name: SysmonDrv - HashingAlgorithms: SHA1 - 网络 connection: enabled - Image loading: disabled - CRL checking: disabled - Process Access: disabled No rules installed
C:\ISOScripting>Sysmon64.exe -u System Monitor v7.02 - System activity monitor Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Stopping Sysmon64. Sysmon64 stopped. Sysmon64 removed. Stopping SysmonDrv. SysmonDrv stopped. SysmonDrv removed. Removing service files................ Failed to delete C:\windows\Sysmon64.exe
C:\ISOScripting>sysmon64 /?
System Monitor v7.02 - System activity monitor
Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Usage:
Install: sysmon64 -i [<configfile>]
[-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]]
[-l [<process,...>]
Configure: sysmon64 -c [<configfile>]
[--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]]
[-l [<process,...>]]]
Uninstall: sysmon64 -u
-c Update configuration of an installed Sysmon driver or dump the
current configuration if no other argument is provided. Optionally
take a configuration file.
-d Specify the name of the installed device driver image.
Configuration entry: DriverName.
The service image and service name will be the same
name of the Sysmon.exe executable image.
-h Specify the hash algorithms used for image identification (default
is SHA1). It supports multiple algorithms at the same time.
Configuration entry: HashAlgorithms.
-i Install service and driver. Optionally take a configuration file.
-l Log loading of modules. Optionally take a list of processes to track.
-m Install the event manifest (done 上 service install as well).
-n Log network connections. Optionally take a list of processes to track.
-r Check for signature certificate revocation.
Configuration entry: CheckRevocation.
-s Print configuration schema definition of the specified version.
Specify 'all' to dump all schema versions (default is latest).
-u Uninstall service and driver.
The service logs events immediately and the driver installs as a boot-start
driver to capture activity from early in the boot that the service will write
to the event log when it starts.
On Vista and higher, events are stored in "Applications and Services
Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are
written to the System event log.
If you need more information 上 configuration files, use the '-? config'
command. More examples are available 上 the Sysinternals website.
Specify -accepteula to automatically accept the EULA 上 installation,
otherwise you will be interactively prompted to accept it.
Neither install nor uninstall requires a reboot.
C:\ISOScripting>
参考:
- http://randomuserid.blogspot.ca/2007/03/tracking-down-random-icmp-in-windows.html
