Norton Internet Security is able to determine which process (application) is
sending or receiving data on a particular IP port, and alert the user if its
of an unknown type, so they can either permit block or create a rule filter
for the current alert.
Does anyone know how an NDIS IM Driver can determine which process
(application) is sending or receiving data on a particular IP port?
I’ve looked at the following link
http://www.pcausa.com/resources/winpktfilter.htm which seems to shed some
light on to how this is done, but i got kinda lost when i read the following
paragraph…
“It should also be noted that some network services operate by creating a
thread attached to the system process. In this case the process information
that is available does not specifically identify the actual process that
initially created the thread. This is especially true of Windows services
that exist solely in kernel-mode (kernel-mode TDI clients).”
could anyone explain to me in english what this means? and advise me how to
determine which process is sending/receving data on a particular ip port?
Thanks in advance,
James Dunning
General Dynamics United Kingdom Limited
Registered in England and Wales No. 1911653
Registered Office: 100 New Bridge Street, London, EC4V 6JA