Wireshark-users: Re: [Wireshark-users] PID as column on Wireshark
From: Guy Harris <[email protected]>
Date: Sun, 27 Sep 2009 18:53:12 -0700
On Sep 27, 2009, at 4:01 PM, IT eSTUDANT wrote:

I would like to put the Process ID as a column item to be displayed on Wireshark. I`ve looking around but didn`t get answer. Is this possible?
In the most general sense, no - if the network adapter is in  
promiscuous or monitor mode, a network analyzer such as Wireshark  
could capture traffic which is not going to or from the machine  
running Wireshark, and there is no way to determine what the process  
ID is of the sending or receiving process if it's not running on the  
same machine as Wireshark (and, in fact, the machine sending or  
receiving the packet might not be running an operating system that  
*has* process IDs).
At least for TCP or UDP packets, on some operating systems, Wireshark  
could, in theory, ask the operating system whether any process running  
on the machine has a socket open using the IP address and TCP/UDP port  
that are the source or destination of the packet and, if that's the  
case, get the process ID of that process and display it (UN*X and  
Windows both have the notion of a process ID, and we don't have any  
versions of Wireshark for OSes that aren't Windows or versions of UN*X).
However, the way that would be done would be dependent on the OS on  
which you're running (and it might not be possible on all of them),  
and nobody's written code to do that yet for any of the OSes on which  
Wireshark runs.