Dear Wireshark Development Team,
I hope this message finds you well.
I would like to suggest a feature enhancement for Wireshark that would greatly benefit malware analysts, forensic investigators, and application developers: the ability to filter and save captured traffic based on a specific process name or PID running on the host.
Currently, packet capture is interface-based, and while powerful, it lacks native visibility into which process is generating or receiving specific network traffic. Adding a feature to bind captured packets to the originating process would:
Enable .pcap filtering or exporting per-process
Allow targeted analysis of suspicious executables
Improve correlation of traffic with endpoint behavior in live investigations
I realize this would involve integration with OS-specific APIs (e.g., GetExtendedTcpTable on Windows or /proc on Linux), but it would be a groundbreaking improvement for many use cases.
Thank you for your time, and for developing such an incredible tool for the networking and security community.
Best regards,
Ayub
Cybersecurity Analyst