Ask Your Question
0

How do I get information about the processes corresponding to TCP and UDP endpoints?

asked 2020-03-19 01:13:07 +0000

lance23au gravatar image

updated 2020-03-19 02:28:00 +0000

Guy Harris gravatar image

Hi All,

I'm trying to get some process information using the fields:

tcp.proc.dstpid tcp.proc.dstuid tcp.proc.dstcmd tcp.proc.srctpid tcp.proc.srcuid tcp.proc.srccmd udp.proc.dstpid udp.proc.dstuid udp.proc.dstcmd udp.proc.srctpid udp.proc.srcuid udp.proc.srccmd

For example:

tshark -r wireshark_capture.pcapng -q -z conv,ip -T fields -E separator=, -E quote=d -e tcp.proc.srccmd -e tcp.proc.srcuid -e tcp.proc.srcpid

However my output is always blank.

Do I need to enable something first for Wireshark to capture this information?

Thanks in advance.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-03-19 02:26:44 +0000

Guy Harris gravatar image

updated 2020-03-19 02:27:04 +0000

Do I need to enable something first for Wireshark to capture this information?

Yes, you need to enable the "Display process information via IPFIX" TCP preference and the "Collect process flow information" UDP preference. (And, as the "via IPFIX" indicates, there needs to be IPFIX traffic to provide process information about the endpoints of a TCP connection or the sending and receiving endpoints of UDP traffic.)

If you haven't permanently set them in Wireshark, you can set them for a particular TShark run on the command line, using the name of the preferences, which are tcp.display_process_info_from_ipfix and udp.process_info, so you'd want a command like

tshark -o tcp.display_process_info_from_ipfix:true -o udp.process_info:true -r wireshark_capture.pcapng -q -z conv,ip -T fields -E separator=, -E quote=d -e tcp.proc.srccmd -e tcp.proc.srcuid -e tcp.proc.srcpid
edit flag offensive delete link more

Comments

Thanks for the response.

I tried what you said but still have no output. Looks like I have no IPFIX traffic. At present I'm just testing this between a few of Linux and WIndows hosts on the same network.

Cheers Lance.

lance23au gravatar imagelance23au ( 2020-03-25 04:13:30 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-03-19 01:13:07 +0000

Seen: 787 times

Last updated: Mar 19 '20