Socket Spy: Packet-sniffing with Port Explorer

Discussion in 'Port Explorer' started by Pierre, Apr 25, 2003.

Thread Status:
Not open for further replies.
  1. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    Hi,
    I recently buy PE ...While reading PE help (Example 2: Capturing all sent and received data from a process)

    I've tried Utilities menu/Socket Spy/process ID /Add PID button

    I run Windows Me and the windows task manager (taskman.exe, I suppose) doesn't give me the PID...
    so I did run the "process list" in TDS3 to see if PID is available. I've got a process number (think=PIDo_O?)

    Trying to add this supposed PID in "PE's socket spy windows" I've obtained an error message... :'(

    "PE's main window"s shows me the same Process ID than TDS3.

    I've done this with various process and always got the same error message ?!?!?

    i.e: 6331... [processus] erreur! ... ... .... .... (sorry it's the french version)

    Please help...Thanx in adavance,
    friendly
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Pierre,
    congratulations with this nice tool too!
    Even though i helped translating into dutch i keep running in english to be able to have the proper messages for everybody, so even if you have it in french, toggling to another language gives all in the new chosen language immediately. My system is a bit slower so i need to go via the english to another language to have it all properly.
    Nice huh?

    The PID (ProcessID) starts with a - so you should type
    -6331 and press the add to spy which should give a popup asking if you are sure you want to spy on process (full path name) so you have an extra control you have the right one. It should appear in the sp then.
    click on it and the packets, so you should be able to see the packets.
    If i'm spying a hidden process like the firewall i always add it manually to get the results in.
    Hope this helps!
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Pierre, To see the correct PID No in Task manager you will need to add the PID Number using the column attributes in task manager. Processes - View - Columns. I have to say that this is for XP but I imagine there will be similar options in ME.

    Task manager shows 42 process on this PC at this time.
    I have just checked my own TDS3, PE & Faber toys and they all show the same PID Numbers for 40 processes.
    TDS3 & Faber toys do not show System PID 4 & the System Idle process PID 0.
    PE Shows PID 4 (6 instances on various local system ports).

    Did you try right clicking the process in PE to set the Socket spy running - Right click the process - Socket - Enable spying.

    Here is a screanie showing my PID No 540 (WallWatcher) showing the packets data when Mailwasher checks my Mail on the remote servers:

    HTH Pilli
     

    Attached Files:

  4. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    hi ,

    thanx Jooske... :D
    How such a little thing as a "-" could be so important... ;)


    Pilli....seems that task manager (if taskman.exe is the good prog for windows Me) is not as sophisticated as XP's one... :(

    I've yet tested the right-click on process but as I was learning to use correctly PE, I was supposed to try every way to proceed... :D

    Thanx again to both of U for quick answer and help...

    friendly regards
    pierre
     
  5. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    Hi, Pilli

    back again, wondering about PID...
    It appears, in your answer, that there's various PID#o_O??
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Pierre, As far as I know the system applies PID's to each new process & that some sytem processes are given the same PID (system & System Idle process for instance) as they are instigated & others may vary dynamically. For instance, when I sent the screanie WallWatcher was PID 540. Being careful I do a regular Ghost image of my C drive on Fridays, :D this has just completed & the PC rebooted gives WallWatchers new PID as 192.
    Any programme that was being spied on from the previous session (in this case WallWatcher) would need renewed PID for the new session although PE retains the packet Data from the previous session until removed.

    Sorry if this sounds complicated.

    A good tool for checking processes & their dependencies Is Faber toys Jooskes Favorite :D http://www.faberbox.com/fabertoys.asp is multilingual

    Pilli
     
  7. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    Thanx for coming back Pilli,

    That's I call an explanation... Yet I've noticed the PID changes from a session to an other one, but thought that PID was unique and cannot be applied to more than one process.

    I'll have a glance to favorite Jooske's Faber... ;)

    Thanx again to both of U !
     
  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    A process ID is given to a new process when it is created by the system. The process ID CANNOT change while the process is active, when that process ID is given to a process it will stay that way until that process dies. After the process dies and a new process is created there is chance that the old process ID may be re-used, but two processes can't share the same Process ID. Hope that clears anything up.
    -Jason-
     
Thread Status:
Not open for further replies.