https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1184
--- Comment #5 from Guy Harris <guy@xxxxxxxxxxxx> 2012-10-01 15:21:04 PDT ---
And OS X 10.8 tags some packets with the process ID and "process name" (first
16 bytes of the last component of the pathname of the executable) and exposes
that with private BPF extensions:
http://www.opensource.apple.com/source/xnu/xnu-2050.7.9/bsd/net/bpf.h
(not in the public /usr/include/net/bpf.h). That appears to be
TCP-and-UDP-only - and may only happen for outgoing packets (they may be the
only ones where the flow hash value is set, from a quick look. That
information gets exposed by tcpdump in pcap-NG comments(!) if you specify the
-P flag to get tcpdump to write out pcap-NG files.
HoNe, on Linux:
http://static.usenix.org/event/lisa06/tech/full_papers/fink/fink.pdf
adds kernel Netfilter hooks and uses them to capture traffic and associate
packets with processes.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.