About This Tool

Primary Use Case

Key Features

• Monitors process network activity using Windows Event Tracing (ETW)
• Generates full packet capture (.pcap) files filtered per process
• Captures DNS queries with domain name resolution
• Automatically tracks child processes and their network endpoints
• Combines advantages of ProcMon, TCPView, and Pktmon while addressing their limitations
• Focuses strictly on network-based activity analysis of processes
• Supports TCP/IP traffic monitoring with packet-level detail

Insights & Recommendations

WhoYouCalling does not capture lower network layer protocols such as ICMP or ARP, nor does it monitor server socket/listening port activity. It complements but does not replace tools like ProcMon for file system or access right monitoring. Users should run it with appropriate permissions to access ETW and packet capture capabilities.

Smart Usage Notes

• Integrate with SIEM solutions to automate alerting on suspicious process network activity.
• Use in purple team exercises to validate detection rules by correlating process behavior with network traffic.
• Automate forensic packet capture during incident response to speed up root cause analysis.
• Combine with endpoint detection tools to enrich telemetry with network-level context.
• Leverage DNS query captures to detect and investigate domain generation algorithms (DGAs) or suspicious command and control traffic.

Security Capability Profile