Wireshark-dev: Re: [Wireshark-dev] GSoC 2013: Process Information

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 24 Apr 2013 13:23:52 -0700
On Apr 24, 2013, at 12:10 PM, Anders Broman <a.broman@xxxxxxxxxxxx> wrote:

> Process info is entirely useless when capturing of a mirror/pawn port

...or in monitor mode on Wi-Fi, or in promiscuous mode on a non-switched Ethernet, or with some type of passive tapping hardware (Endace DAG cards, etc.)...

> so it should be an option to add it.

Yes.

There are, at some level, two modes for using a packet sniffer:

	1) watching traffic to and from the machine on which the sniffer is running;

	2) passively watching third-party traffic.

Process information is only available, in the general case, in the first of those modes.