... and I forgot to attach the patch. Here it is.
On Tue, Dec 11, 2012 at 4:45 PM, Bogdan Harjoc <[email protected]> wrote: > I'd like to submit the code I'm using on windows to filter captured > traffic based on the process name. > > When debugging traffic generated by a local browser (say chrome) on my > machine that also runs other browsers, messengers, etc, it's useful to only > see the traffic I'm interested in. This patch is a functional solution for > me, although only on windows for now. > > I know this was brought up before, mostly as a wish. Current issues with > this patch: > > - it uses GetExtendedTcpTable/GetExtendedUdpTable, so no support for ICMP, > ARP, etc > (this information is identical to what netstat -o -b provides) > > - it gets the information as the packets arrive from winpcap, so the PID > may exit by the time we see the packet > (similarly, the connection may be closed and not show up on netstat, > especially for UDP) > > - I haven't looked at how to avoid doing anything when the capture is > offline (or the src and dst are not local) > > - maybe querying process names could be done out of the capture thread, to > avoid delays > > But all of these would be fixed by a proper implementation, i.e. winpcap > could also send PID+processname if available, like netmon from MSFT does. I > could have a try at this if there is interest. > > In short: > - installer based on svn r46443 (msvc-2010) is at > > http://patraulea.com/hacks/wireshark/Wireshark-win32-1.9.0-pidfilter.exe > - feedback would be great > > Regards, > Bogdan Harjoc > >
wireshark-1.9-process-info.patch
Description: Binary data
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
