[Vol-dev] list open sockets?
Michael Cohen
scudette at gmail.com
Mon Feb 16 03:38:52 CST 2009
Jun,
What kind of image is this? If its a hibernation file you wont see
any sockets because windows closes all sockets before hibernating.
sockscan however shows you sockets which get carved out (i.e. ones
that were once used but no longer). It takes a long time because it
has to carve out the socket structures.
same goes for conscan it scans old connections from all of memory
which is why its slow. There may not be any connections left it its a
hiber image too.
sockets and connections are different structures.
Michael.
On Mon, Feb 16, 2009 at 8:29 PM, Jun Koi <junkoi2004 at gmail.com> wrote:
> Hi,
>
> I am using Volatility to list the open sockets on my WinXP file image,
> with command "sockets". It should display all the open sockets, like
> "netstat -a" does, but it didnt display anything. Is that a bug, or
> that is the way it supposes to work?
>
> I tried with "sockscan" on the same image, and yes, this time it shows
> a lot of open sockets. The problem is that this command is really
> slow: it took a minute or so on a 400MB image.
>
> Meanwhile, "sockscan2" is a lot faster: it returns information almost
> immediately.
>
> "connections", "connscan" and "connscan2" shows nothing. is that expected??
>
> I suppose that "connections" and "sockets" are about the same thing.
> is that correct?
>
> Thanks,
> Jun
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
>
More information about the Vol-dev
mailing list