0

is there an easy way to know from where the packets come from? Which program?

My pc which is on 192.168.0.100 is continuously sending packets (TCP and SMB) to an unknown host (192.168.1.99) and I can't figure out which program is doing that.

Keyne Viana
  • 215
  • 1
  • 4
  • 9

2 Answers2

2

No, wireshark doesn't have this data. Remember, it's sniffing the wire. If you were on a shared network segment, it would show packets from other machines. Hell, even in an unshared segment it shows packets bound to you from other machines, or broadcasts - wireshark certainly has no way of knowing what processes on the remote machines generated those.

What OS are you using? If it's Windows, netstat or TCPView (from Sysinternals) work. I think netstat is also the command on most Unixes.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Thanks! I'm on Windowns. I'll try netstat and TCPView and come back with the results. – Keyne Viana Sep 23 '10 at 17:08
  • Just a note: The processes in on my machine, not remote. But I understand, Wireshark cannot do this trick. – Keyne Viana Sep 23 '10 at 17:13
  • 2
    Microsoft Network Monitor 3.4 can show you both the PID and the name of the process responsible for the traffic. – joeqwerty Sep 23 '10 at 17:35
  • Good call, Joe. – mfinni Sep 23 '10 at 18:11
  • Glad to help... – joeqwerty Sep 23 '10 at 19:18
  • I've tried MS Network Monitor and it show me an system process. With ZoneAlarm I figure out that is a printer from another network that doesn't exist anymore. I was wondering how I would discover such thing without help of ZoneAlarm... – Keyne Viana Sep 23 '10 at 23:28
  • (Note that NetMon obviously can't show you the process responsible for a packet that's not sent from or to the machine running NetMon.) –  Feb 09 '14 at 20:19
1

In this case you might just want to use a software firewall, like ZoneAlarm, it will tell you what apps on a computer are sending where.

MaQleod
  • 503
  • 2
  • 5
  • 17
  • I'm not convinced that I need a firewall to that... – Keyne Viana Sep 23 '10 at 18:46
  • You don't need one, it is just a simple method for seeing what app is sending info out to which IP address. It will of course only give you basic information, so it all depends on what level of detail you're after. – MaQleod Sep 23 '10 at 18:56