Wireshark-dev: Re: [Wireshark-dev] [PATCH] Filter by local process name
From: Bogdan Harjoc <[email protected]>
Date: Tue, 11 Dec 2012 16:46:37 +0200
... and I forgot to attach the patch. Here it is.


On Tue, Dec 11, 2012 at 4:45 PM, Bogdan Harjoc <[email protected]> wrote:
I'd like to submit the code I'm using on windows to filter captured traffic based on the process name.

When debugging traffic generated by a local browser (say chrome) on my machine that also runs other browsers, messengers, etc, it's useful to only see the traffic I'm interested in. This patch is a functional solution for me, although only on windows for now.

I know this was brought up before, mostly as a wish. Current issues with this patch:

- it uses GetExtendedTcpTable/GetExtendedUdpTable, so no support for ICMP, ARP, etc
  (this information is identical to what netstat -o -b provides)

- it gets the information as the packets arrive from winpcap, so the PID may exit by the time we see the packet
 (similarly, the connection may be closed and not show up on netstat, especially for UDP)

- I haven't looked at how to avoid doing anything when the capture is offline (or the src and dst are not local)

- maybe querying process names could be done out of the capture thread, to avoid delays

But all of these would be fixed by a proper implementation, i.e. winpcap could also send PID+processname if available, like netmon from MSFT does. I could have a try at this if there is interest.

In short:
 - installer based on svn r46443 (msvc-2010) is at
   http://patraulea.com/hacks/wireshark/Wireshark-win32-1.9.0-pidfilter.exe
 - feedback would be great

Regards,
Bogdan Harjoc


Attachment: wireshark-1.9-process-info.patch
Description: Binary data