Sniffing application network activity
February 8, 2009 5:11 PM   Subscribe

Hi all, I've just downloaded the TPG Usage Meter application to allow me to monitor from my desktop how much of my download quota (from my ISP) I still have available for the month. As the application needs my username and password for my ISP I'm interested to see what data the application sends to the internet and to what hosts this data is sent. I've already tried using wireshark to see what is going on but from the overload of packets I'm getting very confused. Is there someway to filter the capture by process? Otherwise, is there some other tool that would be better suited for the job? Thanks, Max
posted by maxf to Computers & Internet (5 answers total) 5 users marked this as a favorite
 
Wireshark has pretty robust filtering.

I dont think it can understand processes as it works on the network level (not on the application level). You'll have to figure out what port or what source IP your app is using. If you run TCPView you can see the process name and see what it is talking to. Once you have that info you can make the filtering rule. So, for example, if TCPView says TPG is using port 8958 then write a filter to show only traffic from 8958.
posted by damn dirty ape at 6:33 PM on February 8, 2009


Ethereal is the classic tool people always suggest for this. I've used it before, but not for this, so I can't give any hints, but it will do what you want to do.
posted by ranglin at 2:45 AM on February 9, 2009


I've used Netlimiter in the past. It's primary function is to limit the speed of uploads/downloads, but it also has lots of detail about how much bandwidth each application uses.
posted by Solomon at 3:36 AM on February 9, 2009


Ranglin: Wireshark is Ethereal (namechange due to copyright issues)


I ran strings on the exe to see what came out and these are the relevant bits I found.

https://postoffice.tpg.com.au/advanced/postoffice/login.php?TPG=4f00d01c972a0bbc93169310bdc95d27&1=1&imapuser={USERNAME}
https://cyberstore.tpg.com.au/your_account/?check_username={USERNAME}
mail.tpg.com.au
https://cyberstore.tpg.com.au/your_account/index.php?function=checkaccountusage&random=
https://cyberstore.tpg.com.au/your_account/index.php?function=logout&random=
http://forums.whirlpool.net.au/forum-replies.cfm?t=381916
Visit Whirlpool Thread
http://forums.whirlpool.net.au/forum-user.cfm?id=11355
Send Whim to TheToid
mailto:murgs@exemail.com.au?Subject=
TPG Usage Meter version
&Body=
Dear Aaron,
Regards
Send E-Mail to developer
Make donation to Aaron Murgatroyd
http://home.exetel.com.au/amurgshere/download.php?urldir=public/&filename=TPGUsage.txt

+ a couple of links to paypal to give a donation


It looks like its using https and email so filtering by port might not be of much use. You should be able to filter by those hostnames though sinces it https that might not tell you much.

This is what the author has to say about it on the first forums link above:
I will give you my PERSONAL ASSURANCE that this program does nothing apart from login using standard SSL download the stats page and produce results from it...

No spyware, no viruses, and no data sent to anywhere, what so ever, i have made many plugins and various apps for various pieces of software...

home.iprimus.com.au/amurgshere

is my home page...

If you are still unsure then dont use it i guess.. i cant give you any more of a garauntee than that,...


Looking at the above I'd say this is what those links appear to be doing.
posted by tallus at 6:09 AM on February 9, 2009


Hey guys, thanks for your answers.

Damn dirty ape, I used a tool similar to TCPView. The tool is called SmartSniff. It's a very nice tool. It can be used as a standalone application if you don't want to install the WinPcap capture driver.
I used this in the same fashion as you described, ie to find the ports and hosts that the program is connecting to. I then went to Wireshark and put a filter on those ports and examined the packets. First the application connects back to the developers homepage to grab a txt file. I examined the txt file and it appears to have data relating to upgrading the software. As far as I could tell no data besides the HTTP Get request for the txt file were sent to the developers page. The other connection was made to the TPG servers. These connections are encrypted with SSL but this is no problem, as they are obviously connecting to the proper servers.

I had actually already read the author's personal assurance and was quite confident that the software would be safe to use. I just wanted to confirm it to myself as I am becoming evermore security conscious.

Tallus, the strings idea is also a good one as it helps with further inspection of the file.

Thank you to all of you for your contributions.
posted by maxf at 6:23 PM on February 9, 2009


« Older Please point me to a schema for describing...   |   This Amp is a Series of Tubes Newer »
This thread is closed to new comments.