This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Mapping a Packet in Wireshark to the Application that sent that packet

0

Does anyone know of a good way and/or tool that can be used to match a packet in Wireshark with the local application that sent or received that packet? It would be used with Wireshark capturing on the local machine.

I believe I heard something from Laura C about one for Windows. I'm looking for what that was and one that could be used for OSX as well.

Thanks in advance. Let me know if anyone needs to know the exact use case for this.

asked 15 Jul '15, 14:57

patrick_harrold's gravatar image

patrick_harrold
36558
accept rate: 0%


3 Answers:

2

The poor man's way in Windows (probably applicable to other OSs as well) is to use netstat to determine which process is using a port. Of course this can be difficult to actually tie up with a capture as netstat shows the current (instantaneous) state of ports.

On Windows you can capture using MS Message Analyzer which can record the process involved in the traffic.

There is a (old) feature request on the Wireshark Bugzilla to add process ID capability but it's languished for a long time.

answered 16 Jul '15, 02:23

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Until Windows 7: Network Monitor 3.4 has this feature.

The combination of two CLI commands could be used since WinXP to match the window name to the port.

netstat -ano and tasklist /v

At MacOS you can use the Activity Monitor to support your analyze. https://support.apple.com/en-us/HT201464

(16 Jul '15, 12:17) Christian_R

Thanks for the help Graham.

That is a way for it to work: matching the source port in wireshark with netstat on either OSX or Windows. Then match that PID with the application.

I'll wait a day or two before marking this as the answer just in case someone else has a better answer or an app out there that can show this.

(16 Jul '15, 15:13) patrick_harrold

On Windows > XP SP2, netstat -b in an elevated shell will show the process name as well as the PID.

(17 Jul '15, 02:26) grahamb ♦

1

Hi Patrick,

I tend to leave a tcpview (Sysinternals) window open, it updates in 1 second bursts and you can pause it using SPACE when your data comes, you can then Save the file out as a text file for records if required.

It's not a whole lot more modern than netstat, but it's a little easier to use in my opinion:

start tcpview, sort on the ports you want to see and just wait.

answered 17 Jul '15, 01:49

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

Thanks Darren. I'll look into this as well.

(18 Jul '15, 23:58) patrick_harrold

0

You may find some usefulness with Dtrace - from Sun - ported to OSX etc.

https://en.wikipedia.org/wiki/DTrace Great info from Brendan Gregg on his site, linked off the dtrace.org site - https://en.wikipedia.org/wiki/Brendan_Gregg I met him when he was giving a talk about ZFS a few years ago.

http://dtrace.org/blogs/about/ http://dtrace.org/blogs/brendan/2011/10/10/top-10-dtrace-scripts-for-mac-os-x/ http://www.brendangregg.com/USEmethod/use-macosx.html

e.g. soconnect_mac.d tcpio.d trace TCP connections -

At least get the tarball of dtrace scripts from dtrace.org - maybe worth the price of his book also - I have the Kindle edition.

Hope this helps -

answered 22 Jul '15, 11:41

packetlevel's gravatar image

packetlevel
1667
accept rate: 0%