Ethereal-users: Re: [Ethereal-users] Discovering the process that generated a packet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Keith French" <keithfrench@xxxxxxxxxxxxx>
Date: Thu, 12 Jan 2006 15:43:00 -0000
If you issue a

netstat -o

at the same time as the trace you are taking, this will list port numbers & Process IDs (PID) for each session. Then check the PIDs in task manager & netstat against the netstat port numbers and the Ethereal trace & you should get what you are after. OK it's a bit messy, but I can't think of any other way of doing it.

Keith French.

----- Original Message ----- From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Sent: Wednesday, January 11, 2006 10:47 PM
Subject: Re: [Ethereal-users] Discovering the process that generated a packet


secjunky wrote:
So this is my question, is there a way to configure ethereal to display
the process that generated the packet in question?

No.  There is no such feature in Ethereal.  Somebody would have to write
code to implement it.

The way that'd work would be *EXTREMELY* OS-specific (the Linux code is of
no use for any OS other than Linux, and the same would apply to Windows
code, etc.).

Note also that, on *ANY* OS:

   it'd only work on live captures, not on saved capture files (the
process might not *exist* at the time you read the capture file);

   it'd only work if the OS supports a mechanism for finding the process
(or processes!) with a socket open with the given address and port;

   it'd only work if you're doing the capture on the machine sending the
packet;

   it'd only work if either

       1) the process is running at the time you look at the packet, and
has that socket open

   or

       2) Ethereal is doing an "Update list of packets in real time"
capture (or is otherwise dissecting the packet enough to get the
address and port from which it was sent) and saves that
information with the conversation data structure.

I found this one the ethereal forum (
http://www.ethereal.com/lists/ethereal-dev/200110/msg00129.html), but it
is
very old and is far beyond my menial coding experience.

And it's Linux-only, as noted.  Almost all of the code would have to be
*completely* redone for Windows - at least half of the code in
"process_info.c" would be of no use on Windows.


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date: 11/01/2006





--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date: 11/01/2006