Re: [Vol-users] netscan plugin question
17 May
2013
17 May
'13
11:01 a.m.
Lou,
The netscan command [1] uses pool tag scanning like connscan [2]. Thus it
has the same pros/cons described - in particular "This can find artifacts
from previous connections that have since been terminated, in addition to
the active ones. In the output below, you'll notice some fields have been
partially overwritten, but some of the information is still accurate."
In other words, you may have found remnants of a connection that was once
established, but was closed before the memory dump was taken. The structure
is still lingering, but some pointers within the structure (namely those
that identify the owning process) are no longer valid.
HTH,
Michael
[1]. https://code.google.com/p/volatility/wiki/CommandReference23#netscan
[2]. https://code.google.com/p/volatility/wiki/CommandReference23#connscan
On Thu, May 16, 2013 at 12:57 PM, Lou LaRocca <louislarocca(a)gmail.com>wrote:
Greetings
I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing
"established connections" but no PID or Process with it.
0x2d07480 TCPv4 10.22.41.40:58767 38.126.225.229:43405ESTABLISHED
-------- --------------
0x1367da70 TCPv4 10.22.41.40:59302 151.213.50.211:22031ESTABLISHED
-------- --------------
In addition I am seeing stuff "listening" and it contains the PID and
Process.
0xdb838178 TCPv4 0.0.0.0:49154 0.0.0.0:0
LISTENING 996 svchost.exe
0xdb850ab0 TCPv4 0.0.0.0:49155 0.0.0.0:0
LISTENING 1440 spoolsv.exe
0xdb855e78 TCPv4 0.0.0.0:49155 0.0.0.0:0
LISTENING 1440 spoolsv.exe
So my question is why can I see the listening processes but im not getting
the Process that are established?
Thanks for the help
Lou
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 3.5 KB)