First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

show process name (Windows)

  • retag add tags

I used to use Microsoft Network Monitor.

Trying Wireshark now, however, first question which come to my mind: How do I add process name on the capture window?

mgroen's avatar
1
mgroen
asked 2022-03-25 17:43:42 +0000
edit flag offensive 0 remove flag close merge delete

Comments

For that you have use the Sysinternals tools to obtain the information and add it as comments in the pcapng packets. Currently there is not automated way to do that that I am aware of.

hugo.vanderkooij's avatar hugo.vanderkooij (2022-03-28 07:22:51 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Wireshark doesn't support that.

Guy Harris's avatar
19.9k
Guy Harris
answered 2022-03-25 23:37:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Could it be implemented in future edition of Wireshark?

mgroen's avatar mgroen (2022-03-26 21:05:45 +0000) edit
more
  • delete

The problem mainly lies in npcap and the data and interfaces available to it, adding subsequent support to Wireshark to display the info wouldn't be difficult.

grahamb's avatar grahamb (2022-03-27 17:21:08 +0000) edit
more
  • delete

There are multiple ways of implementing this:

  • if the Npcap driver could fetch a "process name" of some sort for each packet it sees, and pcapng were to add a "process name" option to packet blocks, it could be done in that fashion;
  • if there were an API for Wireshark to get information about active sockets, with endpoint information and a process name, and a new pcapng block type were added to store that information, Wireshark could use that to determine, for TCP and UDP packets, a socket from which the packet was sent or for which it was intended, it could use that (on any platform where it can do that) to determine a process name.

Note that a table of that sort, internal to the kernel, might be what would be used for the first of those solutions.

Guy Harris's avatar Guy Harris (2022-03-27 17:45:40 +0000) edit
more
  • delete

I used to believe obtaining the process id or name requires elevation. Certainly netstat -b does, but the PowerShell Get-NetTcpConnection doesn't seem to need that.

However, I think that attempting to obtain the process info after receipt of a packet from npcap might be prone to errors, particularly affected by Windows reuse of process IDs.

grahamb's avatar grahamb (2022-03-27 19:04:42 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer