Wireshark-bugs: [Wireshark-bugs] [Bug 1184] *Shark should support associating TCP and UDP packet
Date: Tue, 31 Jan 2012 20:27:15 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1184 --- Comment #3 from Guy Harris <guy@xxxxxxxxxxxx> 2012-01-31 20:27:13 PST --- So, for Linux, it appears you have to scan /proc/net/{tcp,udp,tcp6,udp6} to find the socket for the TCP connection/UDP whatever in question, and then scan /proc looking at all processes looking for an FD that refers to that socket. Sadly, for TCP, there's no way to skip the scan, even though there's going to be kernel code to look up a pair of endpoints to find the connection; for UDP, you can't even necessarily use both endpoints, as you might have an unbound socket sending to a variety of different destinations. You also can't avoid the /proc scan - after all, there might be *more than one* process with file descriptors referring to that socket. Note: most of the last two paragraphs - the UDP and the "scanning the process table" part - applies to *all* OSes. For FreeBSD, the net.inet.tcp.pcblist and net.inet.udp.pcblist sysctls will give you all TCP and UDP connections; again, no way to skip the scan. The "struct xsocket" that's part of the "struct xtcpcb" returned for TCP and the "struct xinpcb" returned for UDP includes a pointer to the socket structure in the kernel - not useful as a pointer, but could be useful as a handle. The kern.proc.all sysctl will give you all processes as "struct kinfo_proc"; it has a copy of the p_fd pointer for the process. Sadly, it appears you also have to get the *entire* file table with the kern.file sysctl - no fetching the file table for a given process. For DragonFly BSD, the same stuff will probably work, given DragonFly's FreeBSD origins; a quick look at the code suggests it will. For Mac OS X, it looks as if the pcblist sysctls are there (with some additional work to handle arbitrary mixes of {32,64}-bit kernel and {32,64}-bit userland; on FreeBSD, you presumably want the same width in the kernel and userland). kern.file also exists, but no such luck for kern.proc.all; perhaps libproc can help here (and perhaps for some of the other operations). NetBSD appears to have some different sysctls for the connections. I don't see any sysctls for network connections, processes, or file descriptors on OpenBSD. SunOS 5.x has, as I remember, a mechanism (whose name I'm not sure I remember - kstat?) to fetch various stuff from the kernel without having to dig through /dev/kmem. Dunno about AIX, HP-UX, Digital/Tru64 UNIX, or IRIX. On Windows XP SP2/Windows Server 2003 SP1 and later, the IP Helper library lets you fetch a list of TCP or UDP connections that includes, for each connection, the PID of the owner, with GetExtendedTcpTable() and GetExtendedUdpTable(). In earlier versions, you can get the tables, but without the PID that owns the connection. The PSAPI call GetProcessImageFileName() can translate a HANDLE for a process to the pathname of its image file; you'd get that HANDLE with a OpenProcess() call, *if* you have enough privileges to do it. -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.