# dns look-up and port-to-process methods

This topic is 4320 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

## Recommended Posts

I'm trying to write a small traffic observer on the local system - basically just to get up to speed with Winsock to ready myself to write a working WAN simulator. In the process I got somewhat interested in some of the traffic that's going on on my computer, so I made a little detour and started to expand on the traffic observer. I've run into some questions, though. 1. gethostbyaddr() fails for some IP -> address look-ups, such as 64.233.183.103 (www.google.com) - is that because of the quality of the DNS server? If not, then why? 2. port scanning can be used to determine which port is listening on a given computer. That information isn't quite enough for resolving a port to a process id. I've read up on the issue a little and it seems there's no truly reliable way of doing this, so what I'd like to do is a brute-force method for those processes that can actually be opened. Code injection seems to be the next possibility - I don't want to do that. DiamondCS with its PortExplorer seems to've worked out a few methods to resolve open ports to processes fast and effectively, but they're also holding on to their little secrets. Thus, brute force is the way to go for me. The problem is, I can't find any information on how it's actually done. How is the connection made between a port and a process? I assume the first step is port scanning (although knowing the ports, it's a little more reasonable to do a reverse lookup from the list of ports that are known to be open). Cheers

##### Share on other sites
You can check Sysinternals site for tcpview. Although they don't give you TCPView source code they provide it for the commandline version (netstatp) which output the process map to a ip endpoint

TCPView utility On Sysinternals

##### Share on other sites
For commands, "netstat -nao" on Windows, and "netstat -nap" on UNIX will tell you what process owns what endpoint.

If you really want to know how to do this, then either read the source for netstat (if you're on UNIX -- likely gropes around /proc) or disassemble the netstat binary on Windows.

##### Share on other sites
Should look at WireShark too.
Source code available.

Under windows, WireShark (previously known as Ethereal) uses WinPcap to get data from the sockets.

##### Share on other sites
Well. Silly me, hoping for a nice snippet-like example... There's nothing more annoying than getting side-tracked and having to do rigorous research to get things working that are only remotely related to your primary goal. Ahh - I suppose I should hate myself for it...

As far as port-to-process mapping goes, I'd be content with a description of what to do - I think I could write the code myself. The problem is, there isn't much on this on the web.

Apparently it's the same for implementing a custom digital signature validator - there's just no simple way; you have to go through a heap of documentation and get mangled up in all the non-essentials before you can get something working.

Sigh, I say. Sigh!

##### Share on other sites
Okay - my previous post was rash-ish: netstatp's source code provides exactly what I need with a very small code surplus. Yay! And thanks!

That leaves the first question, though. Why can't some IP's be resolved to their respective addresses (Google [64.233.183.103] is a prime example)?

##### Share on other sites
A related question - can windows DLL's be redistributed freely (for hatever sick occasion they might not be present on a target system)? More specifically, IpHlpAPI.dll. And why does MSDN say it should only work on Vista, but at least portions of it run just fine on my XP. Furthermore, with the DLL being redistributed with the exe, can it be presumed to work on Windows 2000?

##### Share on other sites
Quote:
 Why can't some IP's be resolved to their respective addresses

Probably because they haven't bothered setting up reverse DNS mapping. For each a.b.c.d A record, there's supposed to be a d.c.b.a.ip-addr.arpa PTR record that does the reverse. However, not everyone actually sets this up.

Quote:
 can windows DLL's be redistributed freely

That depends on the DLL. The re-distributable DLLs are listed on various parts of the Microsoft web site. Only if it is explicitly redistributable (with an SDK license, etc), can you actually redistribute it, and you must comply with any conditions (such as using microsoft installer, etc).

If a DLL is intended to work on Windows Vista only, and "happens" to work on XP, I would not assume that it'll work on Win2k.

However, at least certain functions in the iphlpapi.dll have the following description on MSDN:
Quote:
 Requires Windows Vista, Windows XP, Windows 2000 Professional, Windows NT Workstation 4.0 SP4 and later, Windows Me, or Windows 98.

Which seems to indicate support is widespread. Check the function in question.

Last, there is a special networking improvement for Windows XP, called the "advanced networking pack" (which adds IPv6, among other things). Read more about it In the Microsoft Knowledgebase.

##### Share on other sites
The function in question is AllocateAndGetTcpExTableFromStack.

Notice that:

RequirementsClient 	        Requires Windows Vista.Server 	        Requires Windows Server "Longhorn".Header 	        Iphlpapi.h.Library 	Iphlpapi.lib.DLL 	        Iphlpapi.dll.

Works like candy on my XP.

edit:

"Probably because they haven't bothered setting up reverse DNS mapping. For each a.b.c.d A record, there's supposed to be a d.c.b.a.ip-addr.arpa PTR record that does the reverse. However, not everyone actually sets this up."

So that still means that my default DNS is no good and that by querying some other DNS I might get the resolved address? This prompts two questions:

1) is there any way to specify a DNS server for a single query in WinSock?
2) is there a list of the "most reliable"/complete DNS servers on the web?

[Edited by - irreversible on August 20, 2006 8:32:35 AM]

• 40
• 12
• 10
• 10
• 9
• ### Forum Statistics

• Total Topics
631368
• Total Posts
2999595
×