show process name (Windows)
I used to use Microsoft Network Monitor.
Trying Wireshark now, however, first question which come to my mind: How do I add process name on the capture window?
Could it be implemented in future edition of Wireshark?
The problem mainly lies in npcap and the data and interfaces available to it, adding subsequent support to Wireshark to display the info wouldn't be difficult.
There are multiple ways of implementing this:
- if the Npcap driver could fetch a "process name" of some sort for each packet it sees, and pcapng were to add a "process name" option to packet blocks, it could be done in that fashion;
- if there were an API for Wireshark to get information about active sockets, with endpoint information and a process name, and a new pcapng block type were added to store that information, Wireshark could use that to determine, for TCP and UDP packets, a socket from which the packet was sent or for which it was intended, it could use that (on any platform where it can do that) to determine a process name.
Note that a table of that sort, internal to the kernel, might be what would be used for the first of those solutions.
I used to believe obtaining the process id or name requires elevation. Certainly netstat -b does, but the PowerShell Get-NetTcpConnection doesn't seem to need that.
However, I think that attempting to obtain the process info after receipt of a packet from npcap might be prone to errors, particularly affected by Windows reuse of process IDs.
For that you have use the Sysinternals tools to obtain the information and add it as comments in the pcapng packets. Currently there is not automated way to do that that I am aware of.