一、 方法论
二、工具
(1) 全协议分析工具?
- wireshark ?window和linux都适用,还有通过process id来分析的修改版本,下载地址为PAINT Download
- Microsoft Network Monitor?(NetMon) is a free network packet capturing software from Microsoft. It looks up the TCB (TCP Control Block) in semi-real-time to attribute network packets to processes. It can, however, only attribute TCP traffic and not UDP traffic. Another NetMon limitation is that it only periodically queries the TCB due to performance constraints. It’s possible for a TCP connection to exist between the TCB polls and cause a false-negative.
- Process Monitor?is another Microsoft (SysInternals) tool. It logs virtually all attributable application activities including network activities. However, it can only attribute network connection activity and does not capture the traffic content like PAINT/Wireshark or Network Monitor.
- On Linux, there is a tool that partially achieves what we are doing with PAINT, which is a program called?NetHogs. It can attribute network traffic usage totals to individual processes, but it lacks the ability to attribute data at a per-packet level, and is limited to TCP only.
- On the Mac OS X platform there is?Private Eye. It is a simplified and user-friendlier tool similar to the Process Monitor. It does not attribute traffic at a per-packet level.https://radiosilenceapp.com/downloads/Radio_Silence_3.1.pkg
(2)针对http的分析工具
