Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PATCH] Filter by local process name

From: Bogdan Harjoc <harjoc () gmail com>
Date: Tue, 11 Dec 2012 18:08:23 +0200
The bugzilla page does seem appropriate. Attached, thanks.

I just put up a short screencast that shows the basic functionality:
www.youtube.com/watch?v=F5foH3Ba_rE



On Tue, Dec 11, 2012 at 4:59 PM, <mmann78 () netscape net> wrote:


  Should this patch be attached to bug 1184? (
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1184)

If not there, it should be entered into Bugzilla (https://bugs.wireshark.org/bugzilla/)
so it's not lost.

 -----Original Message-----
From: Bogdan Harjoc <harjoc () gmail com>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Sent: Tue, Dec 11, 2012 9:51 am
Subject: Re: [Wireshark-dev] [PATCH] Filter by local process name

 ... and I forgot to attach the patch. Here it is.


On Tue, Dec 11, 2012 at 4:45 PM, Bogdan Harjoc <harjoc () gmail com> wrote:


I'd like to submit the code I'm using on windows to filter captured
traffic based on the process name.

When debugging traffic generated by a local browser (say chrome) on my
machine that also runs other browsers, messengers, etc, it's useful to only
see the traffic I'm interested in. This patch is a functional solution for
me, although only on windows for now.

I know this was brought up before, mostly as a wish. Current issues with
this patch:

- it uses GetExtendedTcpTable/GetExtendedUdpTable, so no support for
ICMP, ARP, etc
  (this information is identical to what netstat -o -b provides)

- it gets the information as the packets arrive from winpcap, so the PID
may exit by the time we see the packet
 (similarly, the connection may be closed and not show up on netstat,
especially for UDP)

- I haven't looked at how to avoid doing anything when the capture is
offline (or the src and dst are not local)

- maybe querying process names could be done out of the capture thread,
to avoid delays

But all of these would be fixed by a proper implementation, i.e. winpcap
could also send PID+processname if available, like netmon from MSFT does. I
could have a try at this if there is interest.

In short:
 - installer based on svn r46443 (msvc-2010) is at

http://patraulea.com/hacks/wireshark/Wireshark-win32-1.9.0-pidfilter.exe
 - feedback would be great

Regards,
Bogdan Harjoc



  ___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe <wireshark-dev-request () wireshark 
org?subject=unsubscribe>


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: