Network Monitoring
Ring 3Enumerate active TCP and UDP connections with process correlation via the Windows IP Helper API.
Overview
The Network tab provides a real-time view of all network connections on the system, similar to netstat but with a graphical interface and process information. This is implemented in the network crate.
NetworkConnection Structure
Each connection is represented by the following structure:
crates/network/src/lib.rs
pub struct NetworkConnection {
pub protocol: Protocol, // TCP or UDP
pub local_addr: IpAddr, // Local IP address
pub local_port: u16, // Local port number
pub remote_addr: IpAddr, // Remote IP address (0.0.0.0 for listening)
pub remote_port: u16, // Remote port number (0 for listening)
pub state: TcpState, // Connection state (TCP only)
pub pid: u32, // Owning process ID
pub process_name: String, // Process name (resolved)
}
pub enum Protocol {
Tcp,
Udp,
}
pub enum TcpState {
Closed,
Listen,
SynSent,
SynReceived,
Established,
FinWait1,
FinWait2,
CloseWait,
Closing,
LastAck,
TimeWait,
DeleteTcb,
}Implementation
Network enumeration uses the Windows IP Helper API for efficient and reliable connection listing:
Algorithm
// TCP Connections (IPv4)
1. GetExtendedTcpTable(NULL, &size, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL)
2. Allocate buffer of returned size
3. GetExtendedTcpTable(buffer, &size, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL)
4. Parse MIB_TCPTABLE_OWNER_PID structure
5. For each MIB_TCPROW_OWNER_PID:
- Convert dwLocalAddr/dwRemoteAddr to IpAddr
- Convert dwLocalPort/dwRemotePort (network byte order)
- Map dwState to TcpState enum
- Record dwOwningPid
// TCP Connections (IPv6)
1. GetExtendedTcpTable(..., AF_INET6, TCP_TABLE_OWNER_PID_ALL)
2. Parse MIB_TCP6TABLE_OWNER_PID structure
// UDP Endpoints (IPv4 + IPv6)
1. GetExtendedUdpTable(..., UDP_TABLE_OWNER_PID)
2. Parse MIB_UDPTABLE_OWNER_PID / MIB_UDP6TABLE_OWNER_PID
// Process name resolution
1. OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, pid)
2. QueryFullProcessImageNameW()
3. Extract filename from pathAPI Functions
| Function | Description |
|---|---|
| enumerate_connections() | Returns Vec<NetworkConnection> of all TCP/UDP connections |
| enumerate_tcp_connections() | Returns only TCP connections (IPv4 + IPv6) |
| enumerate_udp_endpoints() | Returns only UDP endpoints (IPv4 + IPv6) |
UI Features
- • Protocol filter — Show All, TCP only, or UDP only
- • State filter — Filter by connection state (Established, Listen, etc.)
- • Search filter — Filter by IP address, port, or process name
- • Sorting — Click column headers to sort by any field
- • Process correlation — PID and process name shown for each connection
- • Context menu — Copy local/remote address, copy PID, filter by process
- • CSV export — Export filtered results to CSV file
- • Auto-refresh — Updates every 3 seconds
- • IPv6 support — Full IPv4 and IPv6 address display
Connection States
TCP connections can be in various states during their lifecycle:
| State | Description |
|---|---|
| LISTEN | Server socket waiting for connections |
| ESTABLISHED | Active connection with data transfer |
| TIME_WAIT | Connection closed, waiting for network cleanup |
| CLOSE_WAIT | Remote side closed, local close pending |
| SYN_SENT | Connection attempt in progress |
Use Cases
- • Identify processes with active network connections
- • Find which process is using a specific port
- • Monitor outbound connections for suspicious activity
- • Identify listening services and their associated processes
- • Debug network connectivity issues
- • Audit network activity for security analysis
Port Hiding
The kernel driver can hide specific ports from network enumeration. See Kernel Hiding > Port Hiding for details on hiding connections from this tab.