First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I capture the calling process name?

I'm trying to find out the name of the process that is making the call to an endpoint. How can I setup the capture to get the calling process name?

I have seen something like ip.address (under the TCP/IP section), but that was someones old video of a capture they had using a particular .patch file.

Alternatively, since I do have that .patch file how can i add that to my WireShark installation? That might help.

Thanks, -Mark

anonymous user
asked 2017-12-14 20:56:09 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

How can I setup the capture to get the calling process name?

In order for Wireshark to determine the name of the process that sent a packet:

  • it would have to be running on the same machine as that process, otherwise all it has are packets that arrived on its network interface, which may have come from anywhere, including a system that either has no notion of processes or no notion of process names;
  • the capture mechanism Wireshark is using would either have to provide that information as part of the packet metadata, or Wireshark would need to have a list of network connections and processes using those network connections, and would need to be able to look up the network address and port number from which the packet was sent in that list.

Currently, the only capture mechanism that provides that information in a form that Wireshark could use is the capture mechanism used in newer versions of macOS; you'd have to capture using Apple's version of tcpdump, in which case at least some packets sent by the machine will have a pcapng packet comment giving the process name.

Guy Harris's avatar
19.9k
Guy Harris
answered 2017-12-15 05:31:10 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the answer. I'm using Windows, so I'll probably use NetMon and/or ProcMon (and map the date/time of the traffic event between the two log files).

mark's avatar mark (2017-12-15 18:04:21 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer