3

my goal is that my code (C#) outputs the IP addresses another program is trying to connect to. Example: my browser.exe wants to connect to a website at 12.34.567.89 so my code would output that IP.

Note: my main trouble is to also list unsuccessful connection attempts as everything else Ive found seems to only work with established connections.

I don't have a lot of experience and this is my first post so anything could help. Thanks in advance

Bloom
  • 33
  • 3
  • Is there are reason you are not just using programms like WireShark for that? – Christopher May 10 '20 at 18:11
  • I would like to build up on that code later on, not manually having to monitor it. – Bloom May 10 '20 at 18:23
  • 2
    @Christopher wireshark will not give you the process. TCPView by Sysinternals is the way to see connections per process. https://learn.microsoft.com/en-us/sysinternals/downloads/tcpview – Robert Navado May 10 '20 at 18:23
  • @RobertNavado Thanks for the quick response, would TCPView also allow me to see connection attempts as I can only seem to see established connections ? Edit: a bit like what NetLimiter(or similar) is doing before even allowing the app to establish a connection. – Bloom May 10 '20 at 18:57
  • I'm not sure. In general unsuccessful connection will have status failed in WMI (I suspect they just query WMI) and may be displayed in TCPView too – Robert Navado May 10 '20 at 19:06
  • I think it should, it's resembling netstat. TCP connection has handle in the system and tracked for some period of time even if only one SYN sent. I think SYN timeout is 75s by default, at least on some systems. But may be configured between 2 and 600 seconds according the TCP standard – Robert Navado May 10 '20 at 19:11
  • 1
    Try take a look at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netstat and connections with status SYN_SEND and SYN_RECEIVED. You might be interested in CLOSED connections too. Pay attention, that different states of connection might have different timeouts and properly closed connection will disappear more quickly than failed. All this depending the actual configuration of your target system – Robert Navado May 10 '20 at 19:15

2 Answers2

1

This answer is not pure C#, but links to example invocations written in C#.

In general on MS Windows platforms many of the tasks like in the question may be performed using WMI in WQL language.

To achieve the requested it's possible to query MSFT_NetTCPConnection class and use properties OwningProcess and RemoteAddress

select OwningProcess, RemoteAddress from MSFT_NetTCPConnection

You can execute queries to WMI with ManagementObjectSearcher. See examples here and here

In case it's required to get process details - another query can help

select * from Win32_Process where ProcessID = PID_FROM_NET_TCP_CONNECTION

Unfortunately it's not possible to join tables in WQL, but it's possible to create and register own WMI class combining required values resembling join behavior. For example like here. Or just handle it in your code.

Robert Navado
  • 1,319
  • 11
  • 14
1

I think Raw Sockets are well suited for these purposes.

new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);

Try to see that example of raw sockets(you need replace _fcaptureIp with your ip)

Vadim Baratashvili
  • 56
  • 5