Ask Your Question
0

show process name (Windows)

asked 2022-03-25 17:43:42 +0000

mgroen gravatar image

I used to use Microsoft Network Monitor.

Trying Wireshark now, however, first question which come to my mind: How do I add process name on the capture window?

edit retag flag offensive close merge delete

Comments

For that you have use the Sysinternals tools to obtain the information and add it as comments in the pcapng packets. Currently there is not automated way to do that that I am aware of.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-03-28 07:22:51 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-03-25 23:37:05 +0000

Guy Harris gravatar image

Wireshark doesn't support that.

edit flag offensive delete link more

Comments

Could it be implemented in future edition of Wireshark?

mgroen gravatar imagemgroen ( 2022-03-26 21:05:45 +0000 )edit

The problem mainly lies in npcap and the data and interfaces available to it, adding subsequent support to Wireshark to display the info wouldn't be difficult.

grahamb gravatar imagegrahamb ( 2022-03-27 17:21:08 +0000 )edit

There are multiple ways of implementing this:

  • if the Npcap driver could fetch a "process name" of some sort for each packet it sees, and pcapng were to add a "process name" option to packet blocks, it could be done in that fashion;
  • if there were an API for Wireshark to get information about active sockets, with endpoint information and a process name, and a new pcapng block type were added to store that information, Wireshark could use that to determine, for TCP and UDP packets, a socket from which the packet was sent or for which it was intended, it could use that (on any platform where it can do that) to determine a process name.

Note that a table of that sort, internal to the kernel, might be what would be used for the first of those solutions.

Guy Harris gravatar imageGuy Harris ( 2022-03-27 17:45:40 +0000 )edit

I used to believe obtaining the process id or name requires elevation. Certainly netstat -b does, but the PowerShell Get-NetTcpConnection doesn't seem to need that.

However, I think that attempting to obtain the process info after receipt of a packet from npcap might be prone to errors, particularly affected by Windows reuse of process IDs.

grahamb gravatar imagegrahamb ( 2022-03-27 19:04:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-03-25 17:43:42 +0000

Seen: 5,375 times

Last updated: Mar 25 '22