Wireshark-bugs: [Wireshark-bugs] [Bug 1184] *Shark should support associating TCP and UDP packet
Date: Thu, 8 Dec 2011 12:03:02 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1184

Guy Harris <guy@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Platform|x86                         |All
            Summary|Linux Enhancement to /proc  |*Shark should support
                   |                            |associating TCP and UDP
                   |                            |packets with processes
         OS/Version|Linux (other)               |All

--- Comment #2 from Guy Harris <guy@xxxxxxxxxxxx> 2011-12-08 12:03:00 PST ---
This shouldn't be specified as a Linux-specific feature; the problem isn't
"*shark isn't using /proc to associate packets with processes", the problem is
"*shark isn't, on OSes that provide a way for applications to ask what local
processes are using endpoint {address}:{port}:{transport protocol} locally or
remotely, using that mechanism to attempt to indicate which process or
processes sent or received particular packets".  (Note that multiple processes
can share a file descriptor and can thus share an endpoint.)

Network Monitor does this on Windows, and the mechanism isn't secret; Mac OS X
and, I think, at least some other BSD-flavored OSes provide a way to do that as
well.

We'd probably want to add a new block type to pcap-ng to save
process-to-endpoint mappings in the capture file.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.