Re: [Vol-dev] list open sockets?
16 Feb
2009
16 Feb
'09
4:38 a.m.
Jun,
What kind of image is this? If its a hibernation file you wont see
any sockets because windows closes all sockets before hibernating.
sockscan however shows you sockets which get carved out (i.e. ones
that were once used but no longer). It takes a long time because it
has to carve out the socket structures.
same goes for conscan it scans old connections from all of memory
which is why its slow. There may not be any connections left it its a
hiber image too.
sockets and connections are different structures.
Michael.
On Mon, Feb 16, 2009 at 8:29 PM, Jun Koi <junkoi2004(a)gmail.com> wrote:
Hi,
I am using Volatility to list the open sockets on my WinXP file image,
with command "sockets". It should display all the open sockets, like
"netstat -a" does, but it didnt display anything. Is that a bug, or
that is the way it supposes to work?
I tried with "sockscan" on the same image, and yes, this time it shows
a lot of open sockets. The problem is that this command is really
slow: it took a minute or so on a 400MB image.
Meanwhile, "sockscan2" is a lot faster: it returns information almost
immediately.
"connections", "connscan" and "connscan2" shows nothing. is
that expected??
I suppose that "connections" and "sockets" are about the same thing.
is that correct?
Thanks,
Jun
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev