Wireshark-users: Re: [Wireshark-users] PID as column on Wireshark

On Sep 27, 2009, at 4:01 PM, IT eSTUDANT wrote:

I would like to put the Process ID as a column item to be displayed on Wireshark. I`ve looking around but didn`t get answer. Is this possible?

In the most general sense, no - if the network adapter is in promiscuous or monitor mode, a network analyzer such as Wireshark could capture traffic which is not going to or from the machine running Wireshark, and there is no way to determine what the process ID is of the sending or receiving process if it's not running on the same machine as Wireshark (and, in fact, the machine sending or receiving the packet might not be running an operating system that *has* process IDs).

At least for TCP or UDP packets, on some operating systems, Wireshark could, in theory, ask the operating system whether any process running on the machine has a socket open using the IP address and TCP/UDP port that are the source or destination of the packet and, if that's the case, get the process ID of that process and display it (UN*X and Windows both have the notion of a process ID, and we don't have any versions of Wireshark for OSes that aren't Windows or versions of UN*X).

However, the way that would be done would be dependent on the OS on which you're running (and it might not be possible on all of them), and nobody's written code to do that yet for any of the OSes on which Wireshark runs.