April 9th, 2003 10:53 PM
That's essentially what I did with windump. I filtered on traffic originating from my box, with a destination other than my internal net. Since I use a proxy server, all legitimate web traffic goes there, which is internal, so there wasn't much going directly outside. I was able to watch the traffic I sent out. I've got that problem pretty much under control.
Could you not filter it to look for specific things like port 80 or winroute.cz? The only tool that I know that could filter as it's collecting would be something like Snort IDS where you can create your own ruleset and have it only detect those that match that pattern. All others it just ignores and let's pass.
What I'm still interested in, though, is something that would monitor the app that sent the packets. Your example of using snort, for instance, would enable me to see which computer is sending the packets, but that still doesn't tell me which application running on my machine is responsible for sending that packet.''
Hmm... maybe a HIDS would, though. But I'm really looking for a forensic tool that can be lightly deployed on a given box to watch what app or process is generating it. I think that could be a useful tool. (Wish I had the coding skills...)