How to capture outbound DNS requests with PID

Networking/Security Forums -> Computer Forensics and Incident Response

Author: Maxhavoc PostPosted: Fri Sep 19, 2008 5:09 pm    Post subject: How to capture outbound DNS requests with PID
    ----
I'm seeing lots of hosts on my network sending outbound DNS requests to 8800.com and 3322.org. These are fairly well known malicious sites and are blocked by about three different security appliances at my company, but I want to know what process or application keeps making these requests.

Packet capture apps like Wireshark will see the DNS requests but can't tie them to a process. Socket monitors like Sysinternals tcpview doesn't see the DNS requests at all but could tie them to a process if it did.

So my question is, what software can I use that will monitor ALL incoming and outgoing connections and be able to associate a process with it?

Thanks for the help.

Author: ashu.wifiLocation: Heaven PostPosted: Fri Sep 19, 2008 10:09 pm    Post subject:
    ----
simply use network monitor in win2k3 and select DNS as an protocol but this will only gonna work if this server is gateway for all internet users

Author: Maxhavoc PostPosted: Mon Sep 22, 2008 3:56 pm    Post subject:
    ----
Network Monitor is just like Wireshark, it will capture the packets but it will not give me the PID of the process that made the DNS request.



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group