How to determine which process is sending UDP packets once per hour?
You can easily accomplish this with SysInternals' Process Monitor. Run it as Administrator, then configure it as follows:
- On the Filter menu click Filter...
- In the first drop down box, select Operation. Select Is for the match condition, then in the blank drop-down box select UDP Send, then click Add.
- Again, in the first drop-down box, select Path. Select Contains for the match condition, then enter your destination IP address in the free-text drop-down, then click Add.
- Click OK to activate the new filter.
- Let Process Monitor run until it finds matching traffic.
- Right-click on any matching entry and choose Properties, then click the Process tab to view the process associated with the outbound UDP traffic.
Related videos on Youtube
10 : 38
12 : 43
33 : 29
05 : 09
14 : 27
05 : 24
02 : 26
fdmillion
Updated on September 18, 2022Comments
-
fdmillion over 1 year
I was doing a packet capture as part of a development project and saw some odd traffic coming from my machine in the capture file.
About every 3600 seconds, a NAT-PMP request is being sent to the IP "1.1.168.192". (Kind of amusing, looks like something got the endianness wrong.)
I'm concerned the machine could potentially have malware, but malware scans report nothing.
I started a packet capture filtering out only the NAT-PMP packets in question, and the packets are going out almost every hour, but not reliably every hour.
Wireshark itself can't tell me which process is sending the packets. TCPView could work, but I'd have to make sure I'm at the machine almost exactly when the packets go out, because the list doesn't retain closed or inactive connections for very long. With the packets not reliably going out every single hour, that's a frustrating proposition.
Suggestions on how to figure out which process is sending these packets at a wide interval?
-
joeqwerty about 7 yearsMicrosoft Network Monitor (deprecated but still very useful) or Microsoft Message Analyzer (complex and not easy to pick up on for a first time user) can both show the process responsible for the traffic. My preference is to use Microsoft Network Monitor because it's simple to use and easy to interpret the results. Start a capture and let it run until the suspect traffic occurs (filter by ip address and/or port). Then look at the process responsible for the traffic.
-
-
satoc over 3 yearsOptions > "Show Resolved Network Address" might have an effect on what is filtered in Path text. When you are searching with an IP address, you don't want resolved FQDN in Path, I guess.
