Wireshark-users: Re: [Wireshark-users] PID as column on Wireshark
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Mon, 28 Sep 2009 12:55:54 +1000
I have a feeling that this in fact would be non-trivial.

Firstly process IDs are of course potentially very short-lived so there is a possibility by the time you get the packet and ask the OS for the PID, it is gone.

(For instance, If I was feeling evil and typed "while [ 1 ]; do ping -c 1 somehost.com; sleep 1; done" on LInux,  The "ping" would be a different PID every second. And if I run the above, I never actually catch the "ping" in flight using "ps -ae", so I imagine you would definitely need some pretty good hooks in the kernel to trace this accurately).

Also in a more practical sense, applications like Apache generally prefork lots of child processes (httpd) to handle requests. I don't know the nitty-gritty, but the parent process opens the listening socket, but I think any of the children have direct access to that socket via a fiel descriptor. So you MAY want to list parent and/or the child process ID that actually reads and writes on any one session. Again, not sure whether this is even possible.

But that all said, I think it would be a worthwhile feature.

Regards, Martin


On Mon, Sep 28, 2009 at 11:53 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Sep 27, 2009, at 4:01 PM, IT eSTUDANT wrote:

> I would like to put the Process ID as a column item to be displayed
> on Wireshark. I`ve looking around but didn`t get answer. Is this
> possible?

In the most general sense, no - if the network adapter is in
promiscuous or monitor mode, a network analyzer such as Wireshark
could capture traffic which is not going to or from the machine
running Wireshark, and there is no way to determine what the process
ID is of the sending or receiving process if it's not running on the
same machine as Wireshark (and, in fact, the machine sending or
receiving the packet might not be running an operating system that
*has* process IDs).

At least for TCP or UDP packets, on some operating systems, Wireshark
could, in theory, ask the operating system whether any process running
on the machine has a socket open using the IP address and TCP/UDP port
that are the source or destination of the packet and, if that's the
case, get the process ID of that process and display it (UN*X and
Windows both have the notion of a process ID, and we don't have any
versions of Wireshark for OSes that aren't Windows or versions of UN*X).

However, the way that would be done would be dependent on the OS on
which you're running (and it might not be possible on all of them),
and nobody's written code to do that yet for any of the OSes on which
Wireshark runs.
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users