Wireshark-dev: Re: [Wireshark-dev] [ Process Information proposal + doubts on Capture Permissio
From: Brandon Carpenter <[email protected]>
Date: Thu, 02 May 2013 12:02:08 -0700
Ashish (and others interested in the process information proposal),|
Please have a look at Hone:
It is performing packet-process correlation on Linux with a Windows sensor soon to come. We went through the trouble of determining that netstat, lsof, and other such tools are insufficient. Hone inserts itself into the kernel to capture network and process events. It is based on the research of Dr. Glenn Fink:
The Hone Linux sensor consists of two modules: honeevent and hone_notify. The honeevent module presents events from hone_notify as PCAP-NG output using a character device, /dev/hone. The device uses standard permissions to control access allowing users to capture without elevating privileges. It is possible for another module to use hone_notify to provide the same data in another form (e.g., via libpcap). The hone_notify module can actually be broken into three modules that are responsible for process, connection, and packet events, with packet events being provided by netfilter.
I also took a swing at presenting the process information in Wireshark with this patch:
See also the discussion on the mailing list April 17 and 18 with the subject "Enhanced PCAP-NG dissection" regarding the patch.
I am very interested in this topic as it is the same thing I'm working on with Hone. And I hope to continue working on getting this data into Wireshark.
On 04/28/2013 09:09 AM, Ashish Raste wrote:
- Prev by Date: Re: [Wireshark-dev] WS_DLL_PUBLIC only works for files with registered protocols
- Next by Date: [Wireshark-dev] static packet_info* g_info in GSM dissectors
- Previous by thread: Re: [Wireshark-dev] WS_DLL_PUBLIC only works for files with registered protocols
- Next by thread: Re: [Wireshark-dev] [ Process Information proposal + doubts on Capture Permissions ]