0

I have a need to monitor what applications and process are using a given port for example a query of Active Directory for login by an application.

So what I want to do is: Application sends login credentials to AD. I want to see this request on the computer making the request, identify the the PID, record it with timestamp .. and if possible get the result of that query as successful or not.

Example of output:

ApplicationBahBlah_PID, 10:38:01:1234 , (Failed) ApplicationBahBlah_PID, 10:42:21:9734 , (Success)

I have looked here Using /proc/<pid>, how can I identify a network port number's application? But that is for Linux and also not C#

TylerH
  • 20,799
  • 66
  • 75
  • 101
Ken
  • 2,518
  • 2
  • 27
  • 35
  • AD/Windows already have auditing/logging features. If that is not enough, TCPView can give you a list of what app is using a specific port. – Vasya Jul 28 '22 at 19:57
  • 1
    @Vasya tcpview shows applications listening on your computer, not applications communicating to a specific port on another computer. – NetMage Jul 28 '22 at 20:06
  • @NetMage: I am using latest TCPView and it shows both server and client connections and also local and remote ports. – Vasya Jul 28 '22 at 20:29
  • @Vasya - I am on physical computer box - not the AD system. I do not want to sit and view 24 hours a day - I want to write application with output - like in example. NetMage is correct I am on computer and I want to see computer initiate communication, get pid and time stamp it. – Ken Jul 29 '22 at 00:15
  • @Vasya TcpView does not do what I want it to do , only part of it , I want to monitor specific ports and get application process pid and time stamp it. I know AD has tools - I don't have access to AD . Therefore I am asking for how to do this in code .. – Ken Jul 29 '22 at 00:24
  • You can use GetExtendedTcpTable to get the list of TCP connections. Write a service and monitor a specific port at regular interval. See related question https://stackoverflow.com/questions/15573504/getextendedtcptable-donesnt-return-the-same-result-as-netstat-ano Another way would be to write a driver that sits before the protocol layer and registers tcp connections but you probably do not want to go there. – Vasya Jul 29 '22 at 11:04
  • @Vasya monitoring a specific port won't help since the service is running on the client side - the specific port is on the server side. – NetMage Jul 29 '22 at 17:31
  • I couldn't find a way to catch TCP session starts or opens, so the next thing to do would be to install npcap and write a program to grab network traffic and filter for session open and close packets to your destinations and ports. – NetMage Jul 29 '22 at 17:32
  • @NetMage: I may be missing something but GetExtendedTcpTable returns remote port as well so it is possible to monitor all outgoing communications on a specific port. Agree that client port will always be different. – Vasya Jul 29 '22 at 18:24
  • @Vasya I believe you are correct, unfortunately I don't think it helps monitor transient connections. – NetMage Jul 29 '22 at 20:26
  • 1
    If you enable Windows Filtering Platform logging, you can watch for event 5156 in the Security Log to catch each time a session is established. It may be possible to do this programmatically through the WFP API via PInvoke, but the whole area seems very undocumented. – NetMage Jul 29 '22 at 21:00
  • @NetMage I looked into this by default only successes are logged (which I find to be odd-like I have someone who is able to log in let me see the event so I can fix that ??) . However there is something I will try when I am back in the office from admin:command prompt. disable success and enable failure.. auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable – Ken Jul 31 '22 at 13:56
  • @Vasya obviously if TcpView can get that much info - sure there has to be code someone that shows how to do that much and then validate against a PID what process it was. I do appreciate the help you and NetMage are providing. – Ken Jul 31 '22 at 13:58
  • I believe TcpView is probably using `GetExtendedTcpTable` or equivalent, but seeing a list of the current open connections is very different from logging connections being made. I assumed you meant success/failure of the AD query, and the is very different from success/failure of the TCP connection. If you want that information you would need to intercept the system calls for AD or capture the network traffic and interpret it. – NetMage Aug 01 '22 at 18:56
  • @NetMage "I assumed you meant success/failure of the AD query," IS absolutely correct! I need to be able to determine from the client what app/process is making the query to login and what the status is success / failure. – Ken Aug 01 '22 at 21:27

0 Answers0