Applications Traffic Watcher

• Download source files - 61.2 KB
• Download demo project - 173.52 KB

Introduction

Applications Traffic Watcher (ATW) is a small utility to get information about the amount of data transferred to and from the Internet. It uses the WinPcap library from here.

Network traffic inside a LAN is calculated, but ignored when calculating costs. So, you can see which applications are consuming traffic. ATW is very useful in understanding how much traffic is consumed by Skype, Gizmo etc.

Main Idea

The idea of the application is quite simple:

1. Application Traffic Watcher constantly gets packets from WinPCap.
2. It tries to associate packets with process ID using packet's information about local address and port and also information about all active connections, using the functions GetExtendedTcpTable or GetExtendedUdpTable.
3. If the application cannot associate the packet with its corresponding process ID, add this packet to a "virtual" application named "Unknown_" and local port number. Unfortunately, sometimes it cannot associate a packet with a process (see "Problems" section of the article).
4. ATW determines that either the packet belongs to a local network or to the Internet using lib IPNumber (Read this article).

Installation

There is no installation required if WinPcap is already installed. Just run the *.exe file. Otherwise you must download WinPCap from here and install it. After installation, you should maybe restart your computer to properly initialize the WinPcap drivers - otherwise the program may crash.

Problems

As you can see in the screen shot, there are a lot of processes specified as "Unknown_". Unfortunately, I couldn't find any way to determine which application sends/receives packets. Packets couldn't be identified when Internet Explorer/Firefox etc. download some Web pages. They create a lot of connections on different local ports with unknown PIDs (I couldn't associate the connection which I get from GetExtendedTcpTable and packet which I get from WinPCap). So, if you can help to resolve this problem, you are welcome to do so.

Another big problem - sometimes ATW consumes a lot of CPU resources and I couldn't minimize it for now.

References

1. SharpPcap - A Packet Capture Framework for .NET
2. IP list, Check an IP Number against a List in C#
3. Getting Active TCP/UDP Connections on a Box
4. Getting Active TCP/UDP Connections using GetExtendedTcpTable Function
5. TrafficWatcher

Tools

To understand how Microsoft does some things and for code optimization, I used the following tools:

1. Reflector for .NET
2. Interactive Disassembler (IDA)
3. ANTS
4. Sysinternals tools
5. Microsoft Netstat