Socket Spy Behavior Question

Discussion in 'Port Explorer' started by Disciple, Nov 19, 2002.

Thread Status:
Not open for further replies.
  1. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    In making the switch from Atelier's AWPTA to Port Explorer, and in-order to get a better feel for PE, I have a question about how Socket Spy functions. If the answer is in the help file please forgive me, for it did not catch my attention.

    Is it possible to spy on 2 or more processes/sockets at the same time? i.e. have say an IE process/socket and a process/socket for say svchost.exe in the list at the same time, and be able to switch between the 2. My reasoning is, to verify that a suspicious item is not using an established/allowed process/socket for communication.

    TIA for all answers.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Disciple,
    It is described very fine in the Helpfile under "Advanced > Packet sniffing witj socket spy" with screen shots and lot of fine information i'm sure you'll enjoy reading and trying!
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This page (out of the helpfile in the Advanced section) should be of some interest - http://www.diamondcs.com.au/portexplorer/index.php?page=packetsniffer

    ... but to answer your question, yes - you can spy on individual sockets and processes, as many as you like, and yes even at the same time. For example, you might want to spy on port 21 of your FTP client, but not any other ports - PE lets you easily do this. However if you DO want to spy on the whole process and all of its sockets (including ones that are created later), then PE also lets you easily do this. I haven't got any hard numbers on hand at the moment but you can basically add as many sockets and processes to the spy list as you like, and easily remove them later whenever you want with just a couple of mouseclicks.

    Best regards,
    Wayne
     
  4. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Thanks Jooksie and Wayne for your replies, and patience. I now know it's time for my eye exam, as I totally missed [glow=yellow,2,300]socket(s)/process(es)[/glow] in the manual.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No, your mouse needs to learn the double click to open the book icon at the right page.
    In the Helpfile > Utilities > Socket Spy is a small introduction with links to that part.
    Glad you found it!
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    The Hard Numbers :-

    You can spy on up to 128 different process ID's at a time combined with as many individual sockets as you want.

    So there is no limit on individual sockets, you can spy on each and every socket if you had 10000 of them.

    But only a maximum of 128 "whole" processes can be monitored at a time, if you understand what I mean? I could easily extend that to more though but I think 128 is enough :)
    -Jason-
     
  7. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    That ought to keep me and any other most curious person busy for a loooooong time. Maybe we have too much time on our hands? :D
     
Thread Status:
Not open for further replies.