I don't see how. The PID doesn't make it onto the wire (generally speaking), plus Wireshark allows you to look at what's on the wire - potentially all machines which are communicating over the wire. Process IDs aren't unique across different machines, anyway.
If you want to follow an application that still has to be started then it's certainly possible:
docker run -t -i ubuntu /bin/bash
(change "ubuntu" to your favorite distro, this doesn't have to be the same as in your real system)any
, wlan0
, eth0
, ... choose the new virtual interface docker0
instead.You might have some doubts about running your software in a container, so here are the answers to the questions you probably want to ask:
You can check for port numbers with these command examples on wireshark:-
tcp.port==80
tcp.port==14220
Just in case you are looking for an alternate way and the environment you use is Windows, Microsoft's Network Monitor 3.3 is a good choice. It has the process name column. You easily add it to a filter using the context menu and apply the filter.. As usual the GUI is very intuitive...
On Windows there is an experimental build that does this, as described on the mailing list, Filter by local process name
This is an important thing to be able to do for monitoring where certain processes try to connect to, and it seems there isn't any convenient way to do this on Linux. However, several workarounds are possible, and so I feel it is worth mentioning them.
There is a program called nonet which allows running a program with no Internet access (I have most program launchers on my system set up with it). It uses setguid to run a process in group nonet and sets an iptables rule to refuse all connections from this group.
Update: by now I use an even simpler system, you can easily have a readable iptables configuration with ferm, and just use the program sg
to run a program with a specific group. Iptables also alows you to reroute traffic so you can even route that to a separate interface or a local proxy on a port whith allows you to filter in wireshark or LOG the packets directly from iptables if you don't want to disable all internet while you are checking out traffic.
It's not very complicated to adapt it to run a program in a group and cut all other traffic with iptables for the execution lifetime and then you could capture traffic from this process only.
If I ever come round to writing it, I'll post a link here.
On another note, you can always run a process in a virtual machine and sniff the correct interface to isolate the connections it makes, but that would be quite an inferior solution...
In some cases you can not filter by process id. For example, in my case i needed to sniff traffic from one process. But I found in its config target machine IP-address, added filter ip.dst==someip
and voila. It won't work in any case, but for some it's useful.
You could match the port numbers from wireshark up to port numbers from, say, netstat which will tell you the PID of a process listening on that port.
Use strace
is more suitable for this situation.
strace -f -e trace=network -s 10000 -p <PID>;
options -f
to also trace all forked processes, -e trace=netwrok
to only filter network system-call and -s
to display string length up to 10000 char.
You can also only trace certain calls like send,recv, read operations.
strace -f -e trace=send,recv,read -s 10000 -p <PID>;
Get the port number using netstat
:
netstat -b
And then use the Wireshark filter:
tcp.port == portnumber
Use Microsoft Message Analyzer v1.4
Navigate to ProcessId from the field chooser.
Etw
-> EtwProviderMsg
--> EventRecord
---> Header
----> ProcessId
Right click and Add as Column
Source: Stackoverflow.com