 | 1 | initial version |
Do I need to enable something first for Wireshark to capture this information?
Yes, you need to enable the "Display process information via IPFIX" TCP preference and the "Collect process flow information" UDP preference. (And, as the "via IPFIX", there needs to be IPFIX traffic to provide process information about the endpoints of a TCP connection or the sending and receiving endpoints of UDP traffic.)
If you haven't permanently set them in Wireshark, you can set them for a particular TShark run on the command line, using the name of the preferences, which are tcp.display_process_info_from_ipfix and udp.process_info, so you'd want a command like
tshark -o tcp.display_process_info_from_ipfix:true -o udp.process_info:true -r wireshark_capture.pcapng -q -z conv,ip -T fields -E separator=, -E quote=d -e tcp.proc.srccmd -e tcp.proc.srcuid -e tcp.proc.srcpid
| | 2 | No.2 Revision |
Do I need to enable something first for Wireshark to capture this information?
Yes, you need to enable the "Display process information via IPFIX" TCP preference and the "Collect process flow information" UDP preference. (And, as the "via IPFIX", " indicates, there needs to be IPFIX traffic to provide process information about the endpoints of a TCP connection or the sending and receiving endpoints of UDP traffic.)
If you haven't permanently set them in Wireshark, you can set them for a particular TShark run on the command line, using the name of the preferences, which are tcp.display_process_info_from_ipfix and udp.process_info, so you'd want a command like
tshark -o tcp.display_process_info_from_ipfix:true -o udp.process_info:true -r wireshark_capture.pcapng -q -z conv,ip -T fields -E separator=, -E quote=d -e tcp.proc.srccmd -e tcp.proc.srcuid -e tcp.proc.srcpid
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.