For any OS Wireshark runs on, this would be great (my example is based on Windows). TCPView by Mark Russinovich of Sysinternals has one feature that would great to see in Wireshark: the ability to see which process is originating traffic. If possible, it could be one of the displayed columns and could be turned on or off as desired. I find a feature like this to be not only useful in general, but quite helpful when crafting firewall policies for filtering outbound traffic. For example, recently I had a client who runs Kaspersky Internet Security on their workstations which uses outbound https and udp port 2001 to communicate with many different kis servers. It would have saved me a lot if time of Wireshark could have shown me the process that was originating those packets, in this case, avp.exe. I hope others would find this feature useful and would agree it great to see implemented. asked 03 Nov '10, 14:16  eelarry edited 04 Nov '10, 00:07  Jaap ♦ |
4 Answers:
I hate to rain on your parade, but trying to code that that strikes me as a portability nightmare. I've had customers use fport (http://www.foundstone.com/us/resources/proddesc/fport.htm) in a batch file with tshark to grab that info as a plaintext file on Windows boxes...and lsof in the Unix world. answered 03 Nov '10, 20:14  wesmorgan1 Thanks for the link. No question the code would be different for different platforms, but conditional compilation would allow building the executable appropriately for each OS. I haven't seen the WS code, but I'd be surprised to learn it was 100% portable with no conditional compilation. (03 Nov '10, 20:26) eelarry wesmorgan1, could you share your batch file content with us :) ? (19 Sep '11, 21:44) minhtrietpha... |
Dunno about the issues wesmorgan1 raised but I would also like to see that. I am looking for a tool like that. I would be cool though I have to point out that tcpview is also rather limited as one cannot control in it. It offers a very basic view. Some of the things I am not able to manipulate are a. Able to view only one process which I'm interested in, say all 'Google Chrome processes' only b. Able to view the upload and download transactions in KB or MB. and things like that. Why am I going on about this is simply because I see that Wireshark could do all of this but perhaps it would need lot of work either by a user to get a nice view like that. There is another possibility that some nice soul (read developer) makes something that makes understanding and manipulating the output easier in human-readable manner. answered 01 Jan '11, 07:47  shiish |
Wish I could edit my answer, another thing the URL has changed for fport its now listed at http://www.mcafee.com/us/downloads/free-tools/fport.aspx answered 01 Jan '11, 07:48 shiish |
It is my opinion that this is NOT a feature that should be in the Wireshark base product. I do see it as very useful, but Wireshark is about packets. So we'd need a feature added into it that would only be usable when it is capturing traffic sourced or destined to the local host. It would be really, really sweet to extend all of the filtering capabilities all the way to a process. Wireshark is a great sniffer, but I see something that is capable of this being more of a hybrid process/packet analyzer that would definitely have OS dependent hooks. answered 01 Jan '11, 10:09  Paul Stewart |
Bug reports and enhancement requests really belong on
as that's where we track those.