[Josh Clark <josh@xxxxxxxxxxxx>]

Hi Ayub,

Have you seen ptcpdump on Github? https://github.com/mozillazg/ptcpdump

That project seems like it would meet your needs, at least on a *nix OS. It is not integrated into Wireshark, so you would need to separate your capture and analysis workflows for the time being.

To help the dev team track the full feature request, you can go ahead and submit it on Gitlab: https://gitlab.com/wireshark/wireshark/-/issues

On Sat, May 24, 2025 at 8:45 AM SHAiDA <ayubarbaty1@xxxxxxxxx> wrote:

Dear Wireshark Development Team,

I hope this message finds you well.

I would like to suggest a feature enhancement for Wireshark that would greatly benefit malware analysts, forensic investigators, and application developers: the ability to filter and save captured traffic based on a specific process name or PID running on the host.

Currently, packet capture is interface-based, and while powerful, it lacks native visibility into which process is generating or receiving specific network traffic. Adding a feature to bind captured packets to the originating process would:

Enable .pcap filtering or exporting per-process

Allow targeted analysis of suspicious executables

Improve correlation of traffic with endpoint behavior in live investigations

I realize this would involve integration with OS-specific APIs (e.g., GetExtendedTcpTable on Windows or /proc on Linux), but it would be a groundbreaking improvement for many use cases.

Thank you for your time, and for developing such an incredible tool for the networking and security community.

Best regards,

Ayub

Cybersecurity Analyst

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx