Ethereal-users: Re: [Ethereal-users] Discovering the process that generated a packet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Wed, 11 Jan 2006 14:47:24 -0800 (PST)
secjunky wrote:
> So this is my question, is there a way to configure ethereal to display
> the process that generated the packet in question?

No.  There is no such feature in Ethereal.  Somebody would have to write
code to implement it.

The way that'd work would be *EXTREMELY* OS-specific (the Linux code is of
no use for any OS other than Linux, and the same would apply to Windows
code, etc.).

Note also that, on *ANY* OS:

    it'd only work on live captures, not on saved capture files (the
process might not *exist* at the time you read the capture file);

    it'd only work if the OS supports a mechanism for finding the process
(or processes!) with a socket open with the given address and port;

    it'd only work if you're doing the capture on the machine sending the
packet;

    it'd only work if either

        1) the process is running at the time you look at the packet, and
has that socket open

    or

        2) Ethereal is doing an "Update list of packets in real time"
capture (or is otherwise dissecting the packet enough to get the
address and port from which it was sent) and saves that
information with the conversation data structure.

> I found this one the ethereal forum (
> http://www.ethereal.com/lists/ethereal-dev/200110/msg00129.html), but it
> is
> very old and is far beyond my menial coding experience.

And it's Linux-only, as noted.  Almost all of the code would have to be
*completely* redone for Windows - at least half of the code in
"process_info.c" would be of no use on Windows.