Back to Home

ProcessDolphin Documentation

Comprehensive guide to using the ProcessDolphin network process mapper

Overview

ProcessDolphin is a sophisticated network monitoring tool that provides per-process network traffic analysis on Windows systems. It enables users to precisely correlate network activity with individual processes, offering detailed visibility into which applications are communicating across networks, what data they're transferring, and to which remote endpoints.

ProcessDolphin v0.3.0 Beta - This monitoring tool is available for Windows 10/11 (64-bit) systems with administrative privileges recommended for comprehensive visibility.

Key Capabilities

  • Per-Process Network Monitoring: Track and analyze network traffic associated with specific processes for precise connection attribution
  • Connection Timeline Analysis: Monitor chronological connection patterns, data transfer volumes, and connection durations for comprehensive analysis
  • Process Context Integration: Link network traffic with detailed process information including PID, owner, memory usage, command line arguments, and parent process relationships
  • Protocol Inspection: Examine TCP/UDP traffic with port-level details and stateful connection tracking
  • External Connection Identification: Instantly identify and highlight processes communicating with external networks versus internal systems
  • Data Export: Generate detailed CSV reports with comprehensive metadata for integration with other tools and further analysis

Getting Started

System Requirements

  • Windows 10 or Windows 11 (64-bit)
  • 4GB RAM minimum (8GB recommended)
  • 100MB free disk space
  • Administrator account for complete network visibility
  • Windows Packet Capture API access

Installation

  1. Download the ProcessDolphin package from the downloads page
  2. Extract the ZIP archive to a location of your choice
  3. Right-click ProcessDolphin.exe and select "Run as administrator" to ensure proper monitoring permissions
  4. On first run, accept the Windows security dialog to grant the application network monitoring privileges
  5. The main interface will load, showing the process monitoring dashboard

Important: Administrator privileges are recommended for ProcessDolphin to access detailed process information and capture comprehensive network data. Running without elevated privileges will result in limited visibility.

User Interface

ProcessDolphin features a clean, modern interface designed for efficiency and ease of use.

Main Application Window

The main window consists of several key areas:

  • Header Bar: Contains the application logo, runtime statistics, and control buttons
  • Process List: Shows all processes that have established network connections
  • Detail Panel: Displays comprehensive information about the selected process and its network connections
  • Status Footer: Shows the application version and status information

Control Buttons

  • Run/Stop: Starts or stops the network monitoring process
  • Export CSV: Exports the current connection data to a CSV file

Process List

The process list displays all processes that have established network connections since monitoring began. Each entry shows:

  • Process name and icon
  • Process ID (PID)
  • Visual indicator for external connections (globe icon)

Processes with external network connections (outside your local network) are highlighted and sorted to the top of the list for easy identification.

Key Features

Real-Time Process Monitoring

ProcessDolphin constantly monitors all running processes on your system that have established network connections. The monitoring engine is designed to be lightweight, typically using less than 20% CPU resources while providing comprehensive visibility.

Network Connection Visualization

For each process, ProcessDolphin shows detailed network connection information including:

  • Connection direction (inbound or outbound)
  • Source and destination IP addresses and ports
  • Network type classification (local, private, or external)
  • Data transfer volumes
  • Connection duration

Process Details

Comprehensive process information is available for each detected process:

  • Process name and PID
  • User/owner
  • Memory usage
  • CPU utilization
  • Creation time
  • Parent process information
  • Command line details
  • Thread count
  • Disk I/O metrics

Search Functionality

The built-in search feature allows you to quickly find specific processes by name or PID, making it easy to locate and monitor particular applications of interest.

Process Monitoring

Starting Monitoring

To begin monitoring network processes:

  1. Launch ProcessDolphin with administrator privileges
  2. Click the Run button in the upper right corner of the interface
  3. The application will begin capturing network connections and associating them with running processes
  4. The process list will populate with detected processes that have active network connections
  5. Processes with external connections will be highlighted and sorted to the top of the list

Process Information

ProcessDolphin collects comprehensive information about each process:

  • Basic Details: Executable name, PID, user/owner, memory usage
  • Performance Metrics: Real-time CPU usage, thread count, disk I/O operations
  • Process Hierarchy: Parent process name, PID, and relationship mapping
  • Execution Context: Full command line arguments, process creation time
  • Network Activity: Connection counts, internal vs. external communication patterns

Note: ProcessDolphin uses specialized APIs to capture process information, with the ETW (Event Tracing for Windows) and Scapy backends enabling deep visibility into process-to-network relationships. Running with administrator privileges provides the most comprehensive data.

Network Mapping

Connection Types

ProcessDolphin intelligently categorizes network connections to provide immediate visibility into traffic patterns:

  • Localhost: Connections to 127.0.0.1 or ::1 (local machine loopback)
  • Private Network: Connections to private IP ranges (10.x.x.x, 192.168.x.x, 172.16-31.x.x, etc.)
  • External: Connections to public IP addresses (internet destinations)

External connections are highlighted and prioritized in the interface for immediate attention, helping users quickly identify applications communicating with external systems.

Connection Details

For each detected connection, ProcessDolphin provides comprehensive metadata:

  • Complete connection tuple (source IP:port to destination IP:port)
  • Connection direction (inbound or outbound flow)
  • Precise timestamp data (connection establishment, last activity)
  • Connection duration with millisecond precision
  • Data transfer metrics (bytes sent/received) with chronological tracking
  • Connection state (active/inactive based on recent activity)

IP Classification System

ProcessDolphin implements RFC-compliant IP address classification using the ipaddress module:

Type IP Range Description
Localhost 127.0.0.1/8, ::1 Local machine loopback connections
Private Network 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, fc00::/7 Internal/private network connections (RFC 1918, RFC 4193)
External All other IP addresses External/internet connections (public IP space)

Data Export

CSV Export

ProcessDolphin allows you to export collected data in CSV format for further analysis or record-keeping:

  1. Start monitoring processes
  2. Let the application collect data for the desired period
  3. Click the Export CSV button
  4. A file named processdolphin_export_[timestamp].csv will be created in the same directory as the application

Export Format

The exported CSV file includes the following fields:

  • Process Name
  • PID
  • Owner
  • Memory (KB)
  • Created Time
  • Direction
  • Last Activity
  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Connection Duration (s)
  • Bytes Sent
  • Bytes Received

The export function becomes available only after you've stopped monitoring or after a monitoring session has collected data.

Troubleshooting

Common Issues

No Processes Displayed

If no processes appear in the process list after starting monitoring:

  • Ensure you have administrator privileges
  • Check if any security software is blocking ProcessDolphin
  • Verify that there are active network connections on your system
  • Try restarting the application

Missing Process Information

If certain process details are not displayed:

  • Run ProcessDolphin as administrator
  • Some system processes may restrict access to their information

Performance Issues

If ProcessDolphin is causing high CPU or memory usage:

  • Ensure you meet the minimum system requirements
  • Close other resource-intensive applications
  • Try monitoring for shorter periods

Log Files

ProcessDolphin creates a log file at ~/processdolphin_log.txt that can be helpful for troubleshooting. This file contains application events and errors that may help diagnose issues.

Beta Software Notice: ProcessDolphin is currently in beta. If you encounter bugs or issues, please report them using the feedback form.