[PATCH] Filter by local process name

[Bogdan Harjoc <harjoc () gmail com>]

I'd like to submit the code I'm using on windows to filter captured traffic
based on the process name.

When debugging traffic generated by a local browser (say chrome) on my
machine that also runs other browsers, messengers, etc, it's useful to only
see the traffic I'm interested in. This patch is a functional solution for
me, although only on windows for now.

I know this was brought up before, mostly as a wish. Current issues with
this patch:

- it uses GetExtendedTcpTable/GetExtendedUdpTable, so no support for ICMP,
ARP, etc
  (this information is identical to what netstat -o -b provides)

- it gets the information as the packets arrive from winpcap, so the PID
may exit by the time we see the packet
 (similarly, the connection may be closed and not show up on netstat,
especially for UDP)

- I haven't looked at how to avoid doing anything when the capture is
offline (or the src and dst are not local)

- maybe querying process names could be done out of the capture thread, to
avoid delays

But all of these would be fixed by a proper implementation, i.e. winpcap
could also send PID+processname if available, like netmon from MSFT does. I
could have a try at this if there is interest.

In short:
 - installer based on svn r46443 (msvc-2010) is at
   http://patraulea.com/hacks/wireshark/Wireshark-win32-1.9.0-pidfilter.exe
 - feedback would be great

Regards,
Bogdan Harjoc

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe