locked
Can I get the application name which initiate the internet request using inspect sample? RRS feed

  • Question

  • Hi, 
     I read through the source code of inspect and I can capture the connection when new connect request happened.
    But I want to make sure if I can Identify where the connection is from? Is it a IE request, a MSN request or a request from my FTP client?
    So I think only to analyze the 4-tuple of the packet is not enough, I want to get the application name, e.g.,"iexplore.exe" or "msnmsgr.exe",
    so what can I do ? can you show me some clues?
    Thanks in advance. 

    programmer
    Thursday, November 12, 2009 5:40 AM

Answers

  • application IDs are classified to ALE_AUTH_CONNECT and ALE_AUTH_RECV_ACCEPT layers.

    For example the app id field for connect is FWPS_FIELD_ALE_AUTH_CONNECT_V{4|6}_ALE_APP_ID. It is a byte blob containing the normalized device path to the executable image.

    You can review the "MSN Monitor" sample for more details.

    Thanks,
    Biao.W.
    Thursday, November 12, 2009 6:06 AM

All replies

  • application IDs are classified to ALE_AUTH_CONNECT and ALE_AUTH_RECV_ACCEPT layers.

    For example the app id field for connect is FWPS_FIELD_ALE_AUTH_CONNECT_V{4|6}_ALE_APP_ID. It is a byte blob containing the normalized device path to the executable image.

    You can review the "MSN Monitor" sample for more details.

    Thanks,
    Biao.W.
    Thursday, November 12, 2009 6:06 AM
  • Thanks, that helps much.
    programmer
    Thursday, November 12, 2009 8:03 AM