[Brandon Carpenter <hashstat@xxxxxxxx>]

Kunal,

Ashish is correct.  Hone works with UDP and RAW sockets.  So if a RAW socket is used for ICMP, such as with ping, it will correlate back to the process.  Packets are matched to the socket and the socket is matched to the process which created it.  Most ICMP is correlated to a kernel thread.  The other issue is that when a file descriptor is dup'ed, such as in a fork, data sent/received with the new file descriptor will show up under the original process.

Brandon

P.S. - Sorry if this message appears twice.  I sent it from the wrong address the first time.

On 05/03/2013 05:01 AM, Ashish Raste wrote:

Hi Kunal,

Message: 1
Date: Fri, 3 May 2013 06:20:34 +0530
From: kunal bansal <kunalbansal.02@xxxxxxxxx>
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] Wireshark-dev: Re: [ Process Information
        proposal + doubts on Capture Permissions ]
Message-ID:
        <CAJmrNucT6KG4Po0p8ejQ_6MELjZm6ZWbPfgt-LsRKpT7XOQc6g@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Brandon Carpenter Sir,
Low level authorization and kernel adjust are nice advantages
Does the HoNe Project works on UDP connections??

 

Yes, it will work on UDP connections too. But I am not sure of ICMP packets, have to check them.

Best,

--

Ashish