How do I monitor a port for traffic in Windows?

windows performance monitoring traffic
eric young picture eric young · Sep 5, 2010 · Viewed 11.1k times · Source

I am trying to find a solution to monitor the traffic (in and out) through a specific port. It is not required to capture the packets, or do anyting else. What it does is to be a traffic listener to make sure there are messages sent to or received from this port every 10 minutes. It has to be running at the background all the time (like a daemon), and without significant performance impact. Based on my research, one choice is to use an existing tool to do that. There are a bunch of tools out there to monitor or sniff the traffic, such as wireshark. Well, seems most of them monitor the traffic passing through a interface, instead of a port, or they can't run as a daemon. Another choice to write a program to do this. SharpPcap seems to be a good choice, but I still need to capture and analyze the packets to know whether such traffic exist. Could somebody suggest what I should do?

Answer

Evan Plaice picture Evan Plaice · Nov 11, 2010

SharpPcap handles packet capturing in the same manner as Wireshark, so you can set filters to limit the packet being captured to a specific port the same way in SharpPcap as you can in wireshark. Except, SharpPcap will be a much lighter weight option vs wireshark.

Download the SharpPcap source tree and look at the Example05.SetFilter.

To narrow down the results so you capture only the packets you want to see you'll need to employ a few filters.

Pcap uses a common language across all applications that use it do specify the filters to set. Capture programs that use winpcap (windows) or libpcap (*nix) include, sharppcap, wireshark, pcap.net, winpcap, libpcap, tcpdump, etc... For a great resource on how to use pcap filters see this link.

Here are the filters you need:

  • ether host ehost
  • port port

Where the ehost is the MAC address of the computer sending/receiving the packets and the port is the port you want to monitor. So the full filter string would be.

SetFilter("ether host ff:ff:ff:ff:ff:ff and port 60");

The MAC and port here are for illustration purposes only, you'd obviously change them with the values that pertain to your specific setup.

This, used in the SetFilter example will simply print out a line of info with the time of when the packet was captured to the command line every time a packet is captured and meets the criteria if your filter.

If you want more detailed info about the packet, such as info from the headers or the packet's payload, you'll need to parse the incoming raw packet. Be sure to ask for help on the sourceforge project's forum if you need some tips on how to do this. The project developers are very active and always willing to help.

Related questions

NTFS performance and large volumes of files and directories

How does Windows with NTFS perform with large volumes of files and directories? Is there any guidance around limits of files or directories you can place in a single directory before you run into performance problems or other issues? E.…

Read More
Speedup IntelliJ-Idea

I'm using intelliJ for Scala development and got 8 GB of new RAM last week, so I thought: time to use it. I checked my task manager and found intelliJ using ~250mb. From eclipse I knew that tweaking JVM options helped …

Read More
How to get 100% CPU usage from a C program

This is quite an interesting question so let me set the scene. I work at The National Museum of Computing, and we have just managed to get a Cray Y-MP EL super computer from 1992 running, and we really want to …

Read More