0

I have developed a c# application using TcpClient/TcpListener to listen for requests from other applications on the local machine. Now I need to determine what process is actually making the connection to my listener.

There are some examples out there using GetExtendedTcpTable to see what processes are using which ports. But it seems like that would be a very expensive operation to run on EVERY connection to my listener. The system has to know who is making the connection, right? I just can't find the information exposed through any of the objects. Any winsock gurus out there willing to lend a hand?

Phil Figgins
  • 796
  • 1
  • 8
  • 22
  • 1
    Worst case, you can always use the execute `netstat -no` and parse the results. – Bradley Uffner Aug 18 '16 at 14:23
  • Saw that one too. But again, it seems like it would add a ton of overhead to each and every TCP connection. After all, I can't cache it since the connections change. – Phil Figgins Aug 18 '16 at 14:40
  • Come to think of it, Fiddler allows you to filter by process, so there has to be a way to get at the data in a somewhat efficient manner since Fiddler doesn't cause a slowdown of traffic... – Phil Figgins Aug 18 '16 at 14:42
  • You can PInvoke the `GetExtendedTcpTableFunction`. Here is a sample https://code.msdn.microsoft.com/C-Sample-to-list-all-the-4817b58f You will need to adjust it slightly to get the PID, but that's the API call you want. – Bradley Uffner Aug 18 '16 at 14:43
  • Here is a better example that actually gets the PID. https://stackoverflow.com/questions/577433/which-pid-listens-on-a-given-port-in-c-sharp – Bradley Uffner Aug 18 '16 at 14:45
  • someone wrote a managed wrapper here: http://www.codeproject.com/Articles/4298/Getting-active-TCP-UDP-connections-on-a-box This looks like the easiest solution. – Bradley Uffner Aug 18 '16 at 14:49
  • Thanks Bradley, I appreciate all the links. I actually stumbled on those in my research. I was concerned about the performance of such a solution. That said, I went ahead and implemented the managed wrapper you mentioned to see what performance was like. Unfortunately, there are so many requests happening at once that this method won't let me isolate what a particular process my TcpListener is talking to. The table I get from PInvoke is too disconnected and just gives me the most recent process to hit my listening endpoint. – Phil Figgins Aug 18 '16 at 15:30

1 Answers1

0

There is no managed API for this as far as I am aware, the only option is to pInvoke the Windows API.

The Windows API is available through "IPHlpApi.dll" and "IpHelperAPI.dll", but the specific parts you need to get the port are undocumented.

[DllImport("iphlpapi.dll",SetLastError=true)]
public static extern int GetTcpTable(byte[] pTcpTable, 
   out int pdwSize, bool bOrder);

The source code for a managed wrapper can be found here.

Bradley Uffner
  • 16,641
  • 3
  • 39
  • 76
  • Unfortunately, there are so many requests happening at once that this method won't let me isolate what a particular process my TcpListener is talking to. The table I get from PInvoke is too disconnected and just gives me one of the recent processes to hit my listening endpoint. – Phil Figgins Aug 18 '16 at 20:15