isolate application and check what packets it is sending over the internet

windows wireshark isolated-network

I am not sure that this sort of question is appropriate here, so forgive me if I'm wrong.

Here is a problem: I want to see what a specific program is sending to the internet, but the thing is that on the computer there are lot's of applications and services which are using internet. So it is impossible to figure out what packets where sent by an app I am interested in.

One way is to try to close all other applications, but this is impossible.

So is there a way to isolate a specific application? I am working on windows7 and capturing packets with wireshark


Given that you are using Wireshark, your port numbers aren't automatically resolved to an application name, so you will need to do a little more to refine the information you are looking for. Every application using TCP/IP to communicate across a network will be using ports, so that the network stack knows where to deliver segments to (I like to call it an application address).

Clients connecting to a server application on a specific port will be dynamically allocated a port number from a dynamic range. So you first need to find out what TCP/UDP connections your application has open:

netstat -b

at the command line will give you a list of connections with the name of the executable that created the connection. Each executable has one or more connections listed as 127.0.0.1:xxxxx, where X is the local port number for the connection.

Now in wireshark, you need to tell it to display packets that originated from or are destined to that port by using one or more of the these filters:

tcp.port == xxxxx or udp.port == xxxxx

Add an additional or tcp.port == xxxxx for each connection you want to show.

This will allow you to see all the traffic for the connections your application has open and Wireshark will not include just raw TCP/UDP segments but it will include the various application layer protocols (eg. HTTP) that used those port numbers too.

If your application appears to be communicating with just one server, you could just use the IP address of that server to filter by:

ip.addr == x.x.x.x

If you use Process Monitor from Microsoft, you can change the filters to show only network communications from specific processes. It doesn't give you the contents of the packets, but it does show what hosts the app is talking to.

Related

How to list all VPC dependencies in AWS CLI?
Difference between scp and sftp
How can I create and use Linux cgroups as a non-root user?
Pushing Large Files to 500+ Computers
Whats a good way to encrypt a mysql database, and is it worth it?
Monitor an incoming SSH session in real time
How to send email with my CentOS server?
Preferred format of file names which include a timestamp
How to use a custom .bashrc file on SSH login
"The wait operation timed out" when running SQL Server in Hyper-V
Apache logs other user read permissions [closed]
What impact does full hard drive encryption have on performance?