What would be the easiest way to find the responsibe Xware,
when all i know is the destination IP?
Full Version: How do i locate the source of a sent packet?
That would depend on which OS you have. Such software is probably available for all of them and you probably have it already.
QUOTE (Aaron.Walkhouse @ Jul 14 2007, 06:30 PM) 
That would depend on which OS you have.
WinXP - SP2
thanks
Yeah, you have it already. Any typical third party (non-M$) firewall would do it too.
Start with netstat. It's a command line utility. Open a command line window and:
netstat -a -n -o
You'll get a list like this:
The PID column identifies your program. Now you can hit Control-Alt-Delete to open
the Task Manager, switch to the Processes tab and find that number in the PID column too.
(If you can't see that column, go to the View menu, then Select Columns.)
Start with netstat. It's a command line utility. Open a command line window and:
netstat -a -n -o
You'll get a list like this:
CODE
C:\Documents and Settings\Aaron>netstat -a -n -o
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING 392
TCP 0.0.0.0:1035 0.0.0.0:0 LISTENING 1524
TCP 0.0.0.0:1037 0.0.0.0:0 LISTENING 1524
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING 392
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING 1448
TCP 0.0.0.0:1042 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3021 0.0.0.0:0 LISTENING 1448
TCP 0.0.0.0:3023 0.0.0.0:0 LISTENING 3164
TCP 0.0.0.0:3024 0.0.0.0:0 LISTENING 3164
TCP 0.0.0.0:3025 0.0.0.0:0 LISTENING 3164
TCP 0.0.0.0:3030 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3132 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3367 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3371 0.0.0.0:0 LISTENING 3792
TCP 0.0.0.0:3381 0.0.0.0:0 LISTENING 3476
TCP 0.0.0.0:3486 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3634 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3784 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3800 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3814 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3837 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3840 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3868 0.0.0.0:0 LISTENING 2680
TCP 0.0.0.0:3900 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3901 0.0.0.0:0 LISTENING 2680
TCP 0.0.0.0:4033 0.0.0.0:0 LISTENING 2196
TCP 0.0.0.0:4077 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4126 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4160 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4171 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4273 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4348 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4436 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4462 0.0.0.0:0 LISTENING 3948
TCP 0.0.0.0:4464 0.0.0.0:0 LISTENING 3948
TCP 0.0.0.0:4768 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4881 0.0.0.0:0 LISTENING 1448
TCP 0.0.0.0:4954 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 1688
TCP 0.0.0.0:31038 0.0.0.0:0 LISTENING 1964
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING 392
TCP 0.0.0.0:44501 0.0.0.0:0 LISTENING 392
TCP n.n.n.n:3367 70.95.53.237:9217 ESTABLISHED 3804
TCP n.n.n.n:3784 81.151.61.48:7386 SYN_SENT 3804
TCP n.n.n.n:3814 24.30.235.75:14209 ESTABLISHED 3804
TCP n.n.n.n:3837 24.71.114.166:10397 ESTABLISHED 3804
TCP n.n.n.n:3840 71.146.112.236:36856 ESTABLISHED 3804
TCP n.n.n.n:4126 69.204.121.24:7461 ESTABLISHED 3804
TCP n.n.n.n:4160 77.91.45.244:6348 ESTABLISHED 3804
TCP n.n.n.n:4171 71.87.202.11:27514 ESTABLISHED 3804
TCP n.n.n.n:4348 70.255.172.32:47999 FIN_WAIT_1 3804
TCP n.n.n.n:4436 24.105.204.98:47017 ESTABLISHED 3804
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 1448
TCP 127.0.0.1:1026 127.0.0.1:1041 ESTABLISHED 1448
TCP 127.0.0.1:1026 127.0.0.1:3021 ESTABLISHED 1448
TCP 127.0.0.1:1026 127.0.0.1:3023 ESTABLISHED 1448
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 1448
TCP 127.0.0.1:1028 127.0.0.1:3024 ESTABLISHED 1448
TCP 127.0.0.1:1029 127.0.0.1:44334 ESTABLISHED 924
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING 1448
TCP 127.0.0.1:1031 127.0.0.1:3025 ESTABLISHED 1448
TCP 127.0.0.1:1032 127.0.0.1:1034 ESTABLISHED 924
TCP 127.0.0.1:1034 127.0.0.1:1032 ESTABLISHED 392
TCP 127.0.0.1:1035 127.0.0.1:44334 ESTABLISHED 1524
TCP 127.0.0.1:1037 127.0.0.1:1039 ESTABLISHED 1524
TCP 127.0.0.1:1039 127.0.0.1:1037 ESTABLISHED 392
TCP 127.0.0.1:1041 127.0.0.1:1026 ESTABLISHED 1448
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING 1644
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING 964
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING 964
TCP 127.0.0.1:3021 127.0.0.1:1026 ESTABLISHED 1448
TCP 127.0.0.1:3022 0.0.0.0:0 LISTENING 3164
TCP 127.0.0.1:3022 127.0.0.1:4881 ESTABLISHED 3164
TCP 127.0.0.1:3023 127.0.0.1:1026 ESTABLISHED 3164
TCP 127.0.0.1:3024 127.0.0.1:1028 ESTABLISHED 3164
TCP 127.0.0.1:3025 127.0.0.1:1031 ESTABLISHED 3164
TCP 127.0.0.1:3371 127.0.0.1:8001 ESTABLISHED 3792
TCP 127.0.0.1:3867 0.0.0.0:0 LISTENING 2680
TCP 127.0.0.1:3867 127.0.0.1:3868 ESTABLISHED 2680
TCP 127.0.0.1:3868 127.0.0.1:3867 ESTABLISHED 2680
TCP 127.0.0.1:4461 0.0.0.0:0 LISTENING 3948
TCP 127.0.0.1:4461 127.0.0.1:4462 ESTABLISHED 3948
TCP 127.0.0.1:4462 127.0.0.1:4461 ESTABLISHED 3948
TCP 127.0.0.1:4463 0.0.0.0:0 LISTENING 3948
TCP 127.0.0.1:4463 127.0.0.1:4464 ESTABLISHED 3948
TCP 127.0.0.1:4464 127.0.0.1:4463 ESTABLISHED 3948
TCP 127.0.0.1:4881 127.0.0.1:3022 ESTABLISHED 1448
TCP 127.0.0.1:8001 0.0.0.0:0 LISTENING 1688
TCP 127.0.0.1:8001 127.0.0.1:3371 ESTABLISHED 1688
TCP 127.0.0.1:10025 0.0.0.0:0 LISTENING 1832
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 1832
TCP 127.0.0.1:44334 127.0.0.1:1029 ESTABLISHED 392
TCP 127.0.0.1:44334 127.0.0.1:1035 ESTABLISHED 392
TCP 192.168.1.9:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:1030 *:* 924
UDP 0.0.0.0:1033 *:* 924
UDP 0.0.0.0:1036 *:* 1524
UDP 0.0.0.0:1038 *:* 1524
UDP 0.0.0.0:3004 *:* 964
UDP 0.0.0.0:44334 *:* 392
UDP n.n.n.n:123 *:* 964
UDP n.n.n.n:137 *:* 4
UDP n.n.n.n:138 *:* 4
UDP n.n.n.n:520 *:* 964
UDP 127.0.0.1:123 *:* 964
UDP 127.0.0.1:3005 *:* 964
UDP 127.0.0.1:3027 *:* 3804
UDP 127.0.0.1:9473 *:* 556
UDP 192.168.1.9:53 *:* 964
UDP 192.168.1.9:123 *:* 964
UDP 192.168.1.9:137 *:* 4
UDP 192.168.1.9:138 *:* 4
UDP 192.168.1.9:520 *:* 964
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING 392
TCP 0.0.0.0:1035 0.0.0.0:0 LISTENING 1524
TCP 0.0.0.0:1037 0.0.0.0:0 LISTENING 1524
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING 392
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING 1448
TCP 0.0.0.0:1042 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3021 0.0.0.0:0 LISTENING 1448
TCP 0.0.0.0:3023 0.0.0.0:0 LISTENING 3164
TCP 0.0.0.0:3024 0.0.0.0:0 LISTENING 3164
TCP 0.0.0.0:3025 0.0.0.0:0 LISTENING 3164
TCP 0.0.0.0:3030 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3132 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3367 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3371 0.0.0.0:0 LISTENING 3792
TCP 0.0.0.0:3381 0.0.0.0:0 LISTENING 3476
TCP 0.0.0.0:3486 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3634 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3784 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3800 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3814 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3837 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3840 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3868 0.0.0.0:0 LISTENING 2680
TCP 0.0.0.0:3900 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:3901 0.0.0.0:0 LISTENING 2680
TCP 0.0.0.0:4033 0.0.0.0:0 LISTENING 2196
TCP 0.0.0.0:4077 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4126 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4160 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4171 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4273 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4348 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4436 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4462 0.0.0.0:0 LISTENING 3948
TCP 0.0.0.0:4464 0.0.0.0:0 LISTENING 3948
TCP 0.0.0.0:4768 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:4881 0.0.0.0:0 LISTENING 1448
TCP 0.0.0.0:4954 0.0.0.0:0 LISTENING 3804
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 1688
TCP 0.0.0.0:31038 0.0.0.0:0 LISTENING 1964
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING 392
TCP 0.0.0.0:44501 0.0.0.0:0 LISTENING 392
TCP n.n.n.n:3367 70.95.53.237:9217 ESTABLISHED 3804
TCP n.n.n.n:3784 81.151.61.48:7386 SYN_SENT 3804
TCP n.n.n.n:3814 24.30.235.75:14209 ESTABLISHED 3804
TCP n.n.n.n:3837 24.71.114.166:10397 ESTABLISHED 3804
TCP n.n.n.n:3840 71.146.112.236:36856 ESTABLISHED 3804
TCP n.n.n.n:4126 69.204.121.24:7461 ESTABLISHED 3804
TCP n.n.n.n:4160 77.91.45.244:6348 ESTABLISHED 3804
TCP n.n.n.n:4171 71.87.202.11:27514 ESTABLISHED 3804
TCP n.n.n.n:4348 70.255.172.32:47999 FIN_WAIT_1 3804
TCP n.n.n.n:4436 24.105.204.98:47017 ESTABLISHED 3804
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 1448
TCP 127.0.0.1:1026 127.0.0.1:1041 ESTABLISHED 1448
TCP 127.0.0.1:1026 127.0.0.1:3021 ESTABLISHED 1448
TCP 127.0.0.1:1026 127.0.0.1:3023 ESTABLISHED 1448
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 1448
TCP 127.0.0.1:1028 127.0.0.1:3024 ESTABLISHED 1448
TCP 127.0.0.1:1029 127.0.0.1:44334 ESTABLISHED 924
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING 1448
TCP 127.0.0.1:1031 127.0.0.1:3025 ESTABLISHED 1448
TCP 127.0.0.1:1032 127.0.0.1:1034 ESTABLISHED 924
TCP 127.0.0.1:1034 127.0.0.1:1032 ESTABLISHED 392
TCP 127.0.0.1:1035 127.0.0.1:44334 ESTABLISHED 1524
TCP 127.0.0.1:1037 127.0.0.1:1039 ESTABLISHED 1524
TCP 127.0.0.1:1039 127.0.0.1:1037 ESTABLISHED 392
TCP 127.0.0.1:1041 127.0.0.1:1026 ESTABLISHED 1448
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING 1644
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING 964
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING 964
TCP 127.0.0.1:3021 127.0.0.1:1026 ESTABLISHED 1448
TCP 127.0.0.1:3022 0.0.0.0:0 LISTENING 3164
TCP 127.0.0.1:3022 127.0.0.1:4881 ESTABLISHED 3164
TCP 127.0.0.1:3023 127.0.0.1:1026 ESTABLISHED 3164
TCP 127.0.0.1:3024 127.0.0.1:1028 ESTABLISHED 3164
TCP 127.0.0.1:3025 127.0.0.1:1031 ESTABLISHED 3164
TCP 127.0.0.1:3371 127.0.0.1:8001 ESTABLISHED 3792
TCP 127.0.0.1:3867 0.0.0.0:0 LISTENING 2680
TCP 127.0.0.1:3867 127.0.0.1:3868 ESTABLISHED 2680
TCP 127.0.0.1:3868 127.0.0.1:3867 ESTABLISHED 2680
TCP 127.0.0.1:4461 0.0.0.0:0 LISTENING 3948
TCP 127.0.0.1:4461 127.0.0.1:4462 ESTABLISHED 3948
TCP 127.0.0.1:4462 127.0.0.1:4461 ESTABLISHED 3948
TCP 127.0.0.1:4463 0.0.0.0:0 LISTENING 3948
TCP 127.0.0.1:4463 127.0.0.1:4464 ESTABLISHED 3948
TCP 127.0.0.1:4464 127.0.0.1:4463 ESTABLISHED 3948
TCP 127.0.0.1:4881 127.0.0.1:3022 ESTABLISHED 1448
TCP 127.0.0.1:8001 0.0.0.0:0 LISTENING 1688
TCP 127.0.0.1:8001 127.0.0.1:3371 ESTABLISHED 1688
TCP 127.0.0.1:10025 0.0.0.0:0 LISTENING 1832
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 1832
TCP 127.0.0.1:44334 127.0.0.1:1029 ESTABLISHED 392
TCP 127.0.0.1:44334 127.0.0.1:1035 ESTABLISHED 392
TCP 192.168.1.9:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:1030 *:* 924
UDP 0.0.0.0:1033 *:* 924
UDP 0.0.0.0:1036 *:* 1524
UDP 0.0.0.0:1038 *:* 1524
UDP 0.0.0.0:3004 *:* 964
UDP 0.0.0.0:44334 *:* 392
UDP n.n.n.n:123 *:* 964
UDP n.n.n.n:137 *:* 4
UDP n.n.n.n:138 *:* 4
UDP n.n.n.n:520 *:* 964
UDP 127.0.0.1:123 *:* 964
UDP 127.0.0.1:3005 *:* 964
UDP 127.0.0.1:3027 *:* 3804
UDP 127.0.0.1:9473 *:* 556
UDP 192.168.1.9:53 *:* 964
UDP 192.168.1.9:123 *:* 964
UDP 192.168.1.9:137 *:* 4
UDP 192.168.1.9:138 *:* 4
UDP 192.168.1.9:520 *:* 964
The PID column identifies your program. Now you can hit Control-Alt-Delete to open
the Task Manager, switch to the Processes tab and find that number in the PID column too.
(If you can't see that column, go to the View menu, then Select Columns.)
Thank you, Aaron
I tried your suggestion but it doesn't help much because:
1. I run Protowall which blocks the packets before they get to the firewall (external hardware fw)
2. The suspicious packets are sent once in a while - allways behind my back...
so, it seems like unless I ran netstat at the very second they are sent, the destination IP does not show on that netstat report.
Any idea what else i can do? (I prefer not to disable PW)
Thanks
I tried your suggestion but it doesn't help much because:
1. I run Protowall which blocks the packets before they get to the firewall (external hardware fw)
2. The suspicious packets are sent once in a while - allways behind my back...
so, it seems like unless I ran netstat at the very second they are sent, the destination IP does not show on that netstat report.
Any idea what else i can do? (I prefer not to disable PW)
Thanks
Then get a decent firewall and make a rule to stop this kind of thing, as well as log it. That firewall will find it for you.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.