Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a comment to each packet containing the process id (PID) #15

Merged
merged 6 commits into from Jan 5, 2020

Conversation

@DidierStevens
Copy link
Contributor

DidierStevens commented Dec 29, 2019

Added code to add a comment with the process id (PID) to each packet.

https://twitter.com/DidierStevens/status/1211035501920210946

Maybe introduce a command-line option for this.

@msftclas

This comment has been minimized.

Copy link

msftclas commented Dec 29, 2019

CLA assistant check
All CLA requirements met.

README.md Outdated Show resolved Hide resolved
src/pcapng.h Outdated Show resolved Hide resolved
src/pcapng.h Outdated Show resolved Hide resolved
src/pcapng.h Outdated Show resolved Hide resolved
src/pcapng.h Outdated Show resolved Hide resolved
src/pcapng.h Outdated Show resolved Hide resolved
src/pcapng.h Outdated Show resolved Hide resolved
Copy link
Member

maolson-msft left a comment

Thanks for this contribution! I've added comments requesting minor changes to the code, but I have a bigger concern: besides the obvious issue of PIDs being valid only while the process is still around (which most people should understand intuitively), there's a less intuitive problem: inbound packets, and frequently also outbound packets, will be traced in DPCs which run in arbitrary process context. This means the recorded PID will be misleading as often or more often than it is enlightening. Can you tell me how you've made use of this feature?

@DidierStevens

This comment has been minimized.

Copy link
Contributor Author

DidierStevens commented Jan 3, 2020

Thanks for the review.

I use it for dynamic malware analysis: run the malware in a VM while doing netsh capture.
Then I use Message Analyzer, which displays the PID (and also TID).
While preparing a diary entry for SANS ISC's diary, I noticed that Message Analyzer is discontinued, and no longer available for download.
Did some more searching for alternative solutions, and found etl2pcapng.
Worked very well, but missed the PID, so adapted source code.

When performing dynamic malware analysis, it can sometimes be difficult to distinguish network traffic from Windows services & processes, and network traffic from the malware sample. Having the PID of the malware sample, makes it far easier, even when this information is far from 100% reliable.

Often the network traffic from a malware sample is TCP, and then just a single packet with the PID of the malware is enough in Wireshark is enough, as I can then filter on the TCP stream number, and have the complete TCP stream, even if not all TCP packets of this stream have the correct PID.

As I suggested in my PR, you can also make this optional. Introduce a command-line flag to include the PID as a comment or not.

@maolson-msft

This comment has been minimized.

Copy link
Member

maolson-msft commented Jan 3, 2020

Sounds good to me! Make those minor changes and then let’s merge it. I don’t think we need to add a command line option for it.

@DidierStevens

This comment has been minimized.

Copy link
Contributor Author

DidierStevens commented Jan 5, 2020

I pushed the changes, and I also retested before pushing.

@maolson-msft maolson-msft merged commit d5de9d1 into microsoft:master Jan 5, 2020
1 check passed
1 check passed
license/cla All CLA requirements met.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.