On Apr 28, 2025, at 12:00 PM, Omer Shapira <omer_shapira@xxxxxxxxx> wrote:
On Apr 25, 2025, at 6:18 PM, Guy Harris <gharris@xxxxxxxxx> wrote:
On Apr 25, 2025, at 12:49 PM, Guy Harris <gharris@xxxxxxxxx> wrote:
To quote a comment from Wireshark's emacs epan/dissectors/file-pcapng-darwin.c file (which dissects Process Event Blocks if you're using Wireshark as "Fileshark" on a pcapng file that contains Process Event Blocks; there is currently no code to handle Process Event Blocks if you're reading a capture file to see the packets rather than to see the file's structure):
/*
* Apple's Pcapng Darwin Process Event Block
*
* A Darwin Process Event Block (DPEB) is an Apple defined container
* for information describing a Darwin process.
*
* Tools that write / read the capture file associate an incrementing
* 32-bit number (starting from '0') to each Darwin Process Event Block,
By the way, what constitutes an "event" here?
Sadly, those are not “events”, see below.Are all process creations logged with a PEB, or does one appear when the first packet associated with a process is sent or received?
Is a process exiting, or doing an exec-family call, logged?
Darwin PEBs (DPEBs) do not contain any timing information, and does not pretend to reflect the scheduler state machine. Rather, the DPEBs only contain the description of processes, and the order in which DPEBs appear in pcapng is dictated by the order of the “first appearance” of a particular process in the EPB.In other words, the Darwin tcpdump will only inject a DPEB when it sees a packet, which is associated with a process that has not been observed before.In yet another words, DPEBs are a way to compress the per-packet information so that the (expensive) information about the process wouldn’t have to be repeated for every packet.
Hence, the name “event” which suggests some sort of discrete timing information and some kind of state machine, is misleading in this case.
|