Wireshark-users: Re: [Wireshark-users] how can I show the application/process that was requesting

From: Greg Hauptmann <greg.hauptmann.ruby@xxxxxxxxx>
Date: Mon, 12 Jul 2010 10:26:05 +1000
thanks Guy
 
re "looks up TCP and UDP packets in the OS's TCP or UDP socket tables" - do you know (simplistically) how Wireshark is different out of curiosity?  if it doesn't look up socket tables what does it look up?  (this reflects the fact I don't understand the network stack on a Windows PC I guess)


 
On 12 July 2010 03:40, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jul 11, 2010, at 3:01 AM, Greg Hauptmann wrote:

> Is there a way with Wireshark, when running it on a Windows PC (say XP, Vista, or Windows 7), a way to have a column which shows the name of the application/process/service that was requesting/receiving the traffic?    For example, it might be "firefox" for some of the internet traffic for example...

Currently, no.

> Or is this just not possible with Wireshark (which uses the WinPCap library under-the-bonnet I think?)

Yes, it uses WinPcap, but that's not the issue.  As far as I know, no packet capture mechanism directly provides that mechanism; I infer from a statement on the Network Monitor blog that Network Monitor, for example, looks up TCP and UDP packets in the OS's TCP or UDP socket tables to *attempt* to relate packets to processes.  Wireshark doesn't do that.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Greg
http://blog.gregnet.org/