On Apr 25, 2025, at 12:49 PM, Guy Harris <gharris@xxxxxxxxx> wrote:
> To quote a comment from Wireshark's emacs epan/dissectors/file-pcapng-darwin.c file (which dissects Process Event Blocks if you're using Wireshark as "Fileshark" on a pcapng file that contains Process Event Blocks; there is currently no code to handle Process Event Blocks if you're reading a capture file to see the packets rather than to see the file's structure):
>
> /*
> * Apple's Pcapng Darwin Process Event Block
> *
> * A Darwin Process Event Block (DPEB) is an Apple defined container
> * for information describing a Darwin process.
> *
> * Tools that write / read the capture file associate an incrementing
> * 32-bit number (starting from '0') to each Darwin Process Event Block,
By the way, what constitutes an "event" here?
Are all process creations logged with a PEB, or does one appear when the first packet associated with a process is sent or received?
Is a process exiting, or doing an exec-family call, logged?
See also other process information block ideas, such as:
https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-pcap/issues/164
https://github.com/google/linux-sensor/blob/master/hone-pcapng.txt and https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format