im looking for a way of detecting outgoing tcp&udp communications before they happen, the first answer in this post:
Retrieve process network usage
is basically what i need but he looks for data send/received which is when there's already a connection.
so what im looking for is the event that shows the TCP handshake before "userdata" is send.
my app for example shows this output:
<Event MSec= "29623,8425" PID="6172" PName="Battle.net" TID= "-1" EventName="TcpIp/Connect"
size="0" daddr="93.184.220.29" saddr="192.168.10.115" dport="80" sport="59.088" mss="1.420" sackopt="1" tsopt="0" wsopt="1" rcvwin="132.060" rcvwinscale="8" sndwinscale="9" seqnum="0" connid="0x0000020200000000"/>
<Event MSec= "29647,4813" PID="6172" PName="Battle.net" TID= "-1" EventName="TcpIp/Send"
size="240" daddr="93.184.220.29" saddr="192.168.10.115" dport="80" sport="59.088" startime="8.368.880" endtime="8.368.882" seqnum="0" connid="0x020B003000000000"/>
<Event MSec= "29649,2876" PID="6172" PName="Battle.net" TID= "-1" EventName="TcpIp/Recv"
daddr="93.184.220.29" saddr="192.168.10.115" dport="80" sport="59.088" size="799" connid="0x000000C200000000" seqnum="194"/>
but when everything is blocked in FORWARD on the linux router i do not see packets for any of these: session.Source.Kernel.TcpIpConnect += data =>
session.Source.Kernel.TcpIpPartACK += data =>
(actually this one does not show any data at all, even without iptables)
of course svchost.exe resolved dns names before this, and the dns port is open.
shouldnt there be at least one event trying to create the handshake?
i also tried to switch session providers: session.EnableKernelProvider(KernelTraceEventParser.Keywords.All); no difference.
