I'm trying to write a small traffic observer on the local system - basically just to get up to speed with Winsock to ready myself to write a working WAN simulator. In the process I got somewhat interested in some of the traffic that's going on on my computer, so I made a little detour and started to expand on the traffic observer. I've run into some questions, though. 1. gethostbyaddr() fails for some IP -> address look-ups, such as 64.233.183.103 (www.google.com) - is that because of the quality of the DNS server? If not, then why? 2. port scanning can be used to determine which port is listening on a given computer. That information isn't quite enough for resolving a port to a process id. I've read up on the issue a little and it seems there's no truly reliable way of doing this, so what I'd like to do is a brute-force method for those processes that can actually be opened. Code injection seems to be the next possibility - I don't want to do that. DiamondCS with its PortExplorer seems to've worked out a few methods to resolve open ports to processes fast and effectively, but they're also holding on to their little secrets. Thus, brute force is the way to go for me. The problem is, I can't find any information on how it's actually done. How is the connection made between a port and a process? I assume the first step is port scanning (although knowing the ports, it's a little more reasonable to do a reverse lookup from the list of ports that are known to be open). Cheers

You can check Sysinternals site for tcpview. Although they don't give you TCPView source code they provide it for the commandline version (netstatp) which output the process map to a ip endpoint

TCPView utility On Sysinternals

or download netstatp source code as previously posted :)

Well. Silly me, hoping for a nice snippet-like example... There's nothing more annoying than getting side-tracked and having to do rigorous research to get things working that are only remotely related to your primary goal. Ahh - I suppose I should hate myself for it...

As far as port-to-process mapping goes, I'd be content with a description of what to do - I think I could write the code myself. The problem is, there isn't much on this on the web.

Apparently it's the same for implementing a custom digital signature validator - there's just no simple way; you have to go through a heap of documentation and get mangled up in all the non-essentials before you can get something working.

Sigh, I say. Sigh!

Okay - my previous post was rash-ish: netstatp's source code provides exactly what I need with a very small code surplus. Yay! And thanks!

That leaves the first question, though. Why can't some IP's be resolved to their respective addresses (Google [64.233.183.103] is a prime example)?

A related question - can windows DLL's be redistributed freely (for hatever sick occasion they might not be present on a target system)? More specifically, IpHlpAPI.dll. And why does MSDN say it should only work on Vista, but at least portions of it run just fine on my XP. Furthermore, with the DLL being redistributed with the exe, can it be presumed to work on Windows 2000?

The function in question is AllocateAndGetTcpExTableFromStack.

Notice that:

RequirementsClient 	        Requires Windows Vista.Server 	        Requires Windows Server "Longhorn".Header 	        Iphlpapi.h.Library 	Iphlpapi.lib.DLL 	        Iphlpapi.dll.

Works like candy on my XP.

edit:

"Probably because they haven't bothered setting up reverse DNS mapping. For each a.b.c.d A record, there's supposed to be a d.c.b.a.ip-addr.arpa PTR record that does the reverse. However, not everyone actually sets this up."

So that still means that my default DNS is no good and that by querying some other DNS I might get the resolved address? This prompts two questions:

1) is there any way to specify a DNS server for a single query in WinSock?
2) is there a list of the "most reliable"/complete DNS servers on the web?

[Edited by - irreversible on August 20, 2006 8:32:35 AM]