Wednesday, May 9, 2018

How to Find Out Windows Process Sending ICMP Packets

There are a number of different ways to find out which process is sending tcp / udp traffic in computer systems, but not much for icmp traffic.

Here is a summary for the ways to do it.

1. Install a local firewall

You could always try installing a firewall that blocks outgoing traffic or use the Windows Firewall. When the traffic is generated, it could prompt you asking whether you want to allow it or not. In many cases, it will tell you what application is generating the traffic.

2. Commands

2.1 Netstat command

Netstat command is good for tcp / udp traffic.

for example: netstat -tabn 10 | find ":80"

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
  -e            Displays Ethernet statistics. This may be combined with the -s
  -f            Displays Fully Qualified Domain Names (FQDN) for foreign
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -t            Displays the current connection offload state.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

But to icmp traffic, it only can show statistics. It won't be able to show the process name, just like it does udp/tcp traffic.

C:\test>netstat -s -p icmp

ICMPv4 Statistics

                            Received    Sent
  Messages                  3794        20504
  Errors                    0           0
  Destination Unreachable   39          484
  Time Exceeded             3           0
  Parameter Problems        0           0
  Source Quenches           0           0
  Redirects                 0           0
  Echo Replies              3750        2
  Echos                     2           20018
  Timestamps                0           0
  Timestamp Replies         0           0
  Address Masks             0           0
  Address Mask Replies      0           0
  Router Solicitations      0           0
  Router Advertisements     0           0

2.2 Windows Sysinternals Suite
Windows sysinternals suite provides some useful tools to show which process is using certain dll file which usually relates to icmp traffic.

We can use listdlls or process explorer to determine which process has these libraries loaded. Suspend them one by one and note when the ICMP traffic stops. 
C:\Documents and Settings\user>listdlls -d icmp

ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals -

Belkinwcui.exe pid: 2484
Command line: "C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe"

Base        Size      Path
0x74290000  0x4000    ICMP.DLL

Use the tasklist command (see below) to determine which processes have iphlpali.dll or icmp.dll loaded (for example, I find ping.exe uses only iphlpapi.dll while tarcert.exe uses both) 

C:\test>tasklist /M Iphlpapi.dll

Image Name                     PID Modules
========================= ======== ============================================
chrome.exe                    8568 IPHLPAPI.DLL
chrome.exe                     168 IPHLPAPI.DLL
chrome.exe                    7600 IPHLPAPI.DLL
chrome.exe                    3620 IPHLPAPI.DLL
chrome.exe                    6820 IPHLPAPI.DLL
chrome.exe                    8616 IPHLPAPI.DLL
chrome.exe                    7576 IPHLPAPI.DLL
chrome.exe                    6624 IPHLPAPI.DLL
chrome.exe                    8128 IPHLPAPI.DLL
taskhost.exe                  7048 IPHLPAPI.DLL
splwow64.exe                  7440 IPHLPAPI.DLL
chrome.exe                    8572 IPHLPAPI.DLL
chrome.exe                    8144 IPHLPAPI.DLL
chrome.exe                    6164 IPHLPAPI.DLL
OSPPSVC.EXE                   8048 IPHLPAPI.DLL
PING.EXE                      4272 IPHLPAPI.DLL

C:\test>tasklist /M Iphlpapi.dll

Image Name                     PID Modules
========================= ======== ============================================
lsass.exe                      604 IPHLPAPI.DLL
svchost.exe                    912 IPHLPAPI.DLL
svchost.exe                    968 IPHLPAPI.DLL
svchost.exe                    992 IPHLPAPI.DLL
svchost.exe                    336 IPHLPAPI.DLL
svchost.exe                    608 IPHLPAPI.DLL
svchost.exe                   1228 iphlpapi.dll
svchost.exe                   1320 IPHLPAPI.DLL
wlanext.exe                   1352 IPHLPAPI.DLL
spoolsv.exe                   1560 IPHLPAPI.DLL
btwdins.exe                   1860 IPHLPAPI.DLL
OfficeClickToRun.exe          1884 IPHLPAPI.DLL
svchost.exe                   2004 IPHLPAPI.DLL
EvtEng.exe                    2036 IPHLPAPI.DLL
SwiCardDetect64.exe           2588 IPHLPAPI.DLL
WmiPrvSE.exe                  1704 IPHLPAPI.DLL
svchost.exe                   4316 IPHLPAPI.DLL
explorer.exe                  4108 IPHLPAPI.DLL
BTStackServer.exe             5632 IPHLPAPI.DLL
svchost.exe                   1868 IPHLPAPI.DLL
chrome.exe                    8536 IPHLPAPI.DLL
chrome.exe                    7816 IPHLPAPI.DLL
TRACERT.EXE                   9000 iphlpapi.DLL

C:\test>tasklist /M icmp.dll

Image Name                     PID Modules
========================= ======== ============================================
TRACERT.EXE                   9000 icmp.dll

3. Netsh command to do low level capture network traffic
You can use the new built-in ETL tracing available at NDIS layer. All you need to do is to start a new ETL packet capturing session.This method doesn't even require you to install any sniffing software (Network Monitor/Wireshark etc). You can use this option for general packet capturing on Windows 7/Windows 2008 R2 as well:
netsh trace start capture=yes tracefile=c:\test\c1.etl

netsh trace stop

Microsoft Message Analyzer enables you to capture, display, and analyze protocol messaging traffic; and to trace and assess system events and other messages from Windows components.



No comments:

Post a Comment

NetSec Youtube Videos