Filter by process PID in Wireshark

Question

Is there a way to filter follow a TCP SSL stream based on a particular process ID using Wireshark

User · Answer

Use Microsoft Message Analyzer v1 4  Navigate to ProcessId from the field chooser   Etw - gt  EtwProviderMsg -- gt  EventRecord --- gt  Header ---- gt  ProcessId   Right click and Add as Column

User · Answer

You can check for port numbers with these command examples on wireshark -  tcp port  80  tcp port  14220

User · Answer

Get the port number using netstat   netstat -b   And then use the Wireshark filter   tcp port    portnumber

User · Answer

This is an important thing to be able to do for monitoring where certain processes try to connect to  and it seems there isn t any convenient way to do this on Linux  However  several workarounds are possible  and so I feel it is worth mentioning them   There is a program called nonet which allows running a program with no Internet access  I have most program launchers on my system set up with it   It uses setguid to run a process in group nonet and sets an iptables rule to refuse all connections from this group   Update  by now I use an even simpler system  you can easily have a readable iptables configuration with ferm  and just use the program sg to run a program with a specific group  Iptables also alows you to reroute traffic so you can even route that to a separate interface or a local proxy on a port whith allows you to filter in wireshark or LOG the packets directly from iptables if you don t want to disable all internet while you are checking out traffic   It s not very complicated to adapt it to run a program in a group and cut all other traffic with iptables for the execution lifetime and then you could capture traffic from this process only   If I ever come round to writing it  I ll post a link here   On another note  you can always run a process in a virtual machine and sniff the correct interface to isolate the connections it makes  but that would be quite an inferior solution

User · Answer

In some cases you can not filter by process id  For example  in my case i needed to sniff traffic from one process  But I found in its config target machine IP-address  added filter ip dst  someip and voila  It won t work in any case  but for some it s useful

User · Answer

You could match the port numbers from wireshark up to port numbers from  say  netstat which will tell you the PID of a process listening on that port

User · Answer

If you want to follow an application that still has to be started then it s certainly possible    Install docker  see https   docs docker com engine installation linux docker-ce ubuntu   Open a terminal and run a tiny container  docker run -t -i ubuntu  bin bash  change  ubuntu  to your favorite distro  this doesn t have to be the same as in your real system  Install your application in the container using the same way that you would install it in a real system  Start wireshark in your real system  go to capture   options   In the window that will open you ll see all your interfaces  Instead of choosing any  wlan0  eth0      choose the new virtual interface docker0 instead  Start capturing Start your application in the container   You might have some doubts about running your software in a container  so here are the answers to the questions you probably want to ask    Will my application work inside a container   Almost certainly yes  but you might need to learn a bit about docker to get it working Won t my application run slow   Negligible  If your program is something that runs heavy calculations for a week then it might now take a week and 3 seconds What if my software or something else breaks in the container   That s the nice thing about containers  Whatever is running inside can only break the current container and can t hurt the rest of the system

User · Answer

On Windows there is an experimental build that does this  as described on the mailing list  Filter by local process name

User · Answer

Use strace is more suitable for this situation    strace -f -e trace network -s 10000 -p  lt PID gt     options -f to also trace all forked processes  -e trace netwrok to only filter network system-call and -s to display string length up to 10000 char    You can also only trace certain calls like send recv  read operations    strace -f -e trace send recv read -s 10000 -p  lt PID gt

User · Answer

I don t see how  The PID doesn t make it onto the wire  generally speaking   plus Wireshark allows you to look at what s on the wire - potentially all machines which are communicating over the wire  Process IDs aren t unique across different machines  anyway

User · Answer

Just in case you are looking for an alternate way and the environment you use is Windows  Microsoft s Network Monitor 3 3 is a good choice  It has the process name column  You easily add it to a filter using the context menu and apply the filter   As usual the GUI is very intuitive

[wireshark] Filter by process/PID in Wireshark

Examples related to wireshark