Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2020-03-19 01:13:07 +0000

lance23au gravatar image

Process Information

Hi All,

I'm trying to get some process information using the fields:

tcp.proc.dstpid tcp.proc.dstuid tcp.proc.dstcmd tcp.proc.srctpid tcp.proc.srcuid tcp.proc.srccmd udp.proc.dstpid udp.proc.dstuid udp.proc.dstcmd udp.proc.srctpid udp.proc.srcuid udp.proc.srccmd

For example:

tshark -r wireshark_capture.pcapng -q -z conv,ip -T fields -E separator=, -E quote=d -e tcp.proc.srccmd -e tcp.proc.srcuid -e tcp.proc.srcpid

However my output is always blank.

Do I need to enable something first for Wireshark to capture this information?

Thanks in advance.

click to hide/show revision 2
None

updated 2020-03-19 02:28:00 +0000

Guy Harris gravatar image

Process Information

Hi All,

I'm trying to get some process information using the fields:

tcp.proc.dstpid tcp.proc.dstuid tcp.proc.dstcmd tcp.proc.srctpid tcp.proc.srcuid tcp.proc.srccmd udp.proc.dstpid udp.proc.dstuid udp.proc.dstcmd udp.proc.srctpid udp.proc.srcuid udp.proc.srccmd

For example:

tshark -r wireshark_capture.pcapng -q -z conv,ip -T fields -E separator=, -E quote=d -e tcp.proc.srccmd -e tcp.proc.srcuid -e tcp.proc.srcpid

However my output is always blank.

Do I need to enable something first for Wireshark to capture this information?

Thanks in advance.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2