| Bug ID |
12587
|
| Summary |
Accessing the various pcapng blocks informations
|
| Product |
Wireshark
|
| Version |
unspecified
|
| Hardware |
x86
|
| OS |
Mac OS X 10.11
|
| Status |
UNCONFIRMED
|
| Severity |
Normal
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
On macOS 10.11, the modified tcpdump version of Apple can show information
about which processus sent/received each packet (pid, processus string, QoS,
direction) when using the data link type PKTAP.
Ex of tcpdump output, showing "Google Chrome:244"
sudo tcpdump -i pktap,en0 -k
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
21:07:30.215409 (en0, proc Google Chrome:244, svc BE, out) IP
pepita.fritz.box.53338 > 199.16.156.230.https: Flags [P.], seq
131531122:131531248, ack 1407076814, win 4096, options [nop,nop,TS val
490796404 ecr 1951764051], length 126
These informations are added to the pcapng in some blocks, more details from
Guy here:
https://ask.wireshark.org/questions/53818/seeing-pktap-metadata-in-wireshark-gui/53819
It would be very interesting to have access to the various pcapng blocks:
General file structure and each packet block.
Suggestions as a non developper:
- Maybe at first only in tshark, not all people would be interested to see that
in the GUI
- Adding new fields in "geninfo", "frame", or "_ws ?
pcapng format:
https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
pcapng process information:
https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format
You are receiving this mail because:
- You are watching all bug changes.