Filter by process/PID in Wireshark
175,869
Solution 1
I don't see how. The PID doesn't make it onto the wire (generally speaking), plus Wireshark allows you to look at what's on the wire - potentially all machines which are communicating over the wire. Process IDs aren't unique across different machines, anyway.
Solution 2
Just in case you are looking for an alternate way and the environment you use is Windows, Microsoft's Network Monitor 3.3 is a good choice. It has the process name column. You easily add it to a filter using the context menu and apply the filter.. As usual the GUI is very intuitive...
Solution 3
You could match the port numbers from wireshark up to port numbers from, say, netstat which will tell you the PID of a process listening on that port.
Solution 4
Use Microsoft Message Analyzer v1.4
Navigate to ProcessId from the field chooser.
Etw
-> EtwProviderMsg
--> EventRecord
---> Header
----> ProcessId
Right click and Add as Column
Solution 5
If you want to follow an application that still has to be started then it's certainly possible:
- Install docker (see https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/)
- Open a terminal and run a tiny container:
docker run -t -i ubuntu /bin/bash(change "ubuntu" to your favorite distro, this doesn't have to be the same as in your real system) - Install your application in the container using the same way that you would install it in a real system.
- Start wireshark in your real system, go to capture > options . In the window that will open you'll see all your interfaces. Instead of choosing
any,wlan0,eth0, ... choose the new virtual interfacedocker0instead. - Start capturing
- Start your application in the container
You might have some doubts about running your software in a container, so here are the answers to the questions you probably want to ask:
- Will my application work inside a container ? Almost certainly yes, but you might need to learn a bit about docker to get it working
- Won't my application run slow ? Negligible. If your program is something that runs heavy calculations for a week then it might now take a week and 3 seconds
- What if my software or something else breaks in the container ? That's the nice thing about containers. Whatever is running inside can only break the current container and can't hurt the rest of the system.
Author by
Ryan Fernandes
Programming a Commodore-C64 in BASIC gave me my first illusion of control. Programming Microcontrollers in Assembly ensured that I did not recover and convinced me to make software development my full time occupation. Currently a JEE practitioner and jQuery enthusiast
Updated on July 08, 2022Comments
-
Ryan Fernandes 11 months
-
Ryan Fernandes over 13 yearsgood point..thats what I thought too.. let me wait for a day before closing this, just incase there is a wireshark ninja out there who manages to do this..
-
Ryan Fernandes over 13 yearswell, this might not work..the program opens up and closes a lot of local and remote ports
-
Admin over 10 yearsThat does, within Wireshark, the "You could match the port numbers from wireshark up to port numbers from, say, netstat which will tell you the PID of a process listening on that port." stuff from Tom Woolfrey's comment, so it is (as the message notes) subject to the limitations of that mechanism. -
g t over 9 yearsMicrosoft Network Monitor 3.4 is at microsoft.com/en-us/download/details.aspx?id=4865 -
Dojo over 8 yearsWireshark knows which port is being used and the OS knows the PID of the process that is using the port. With code changes, it should be possible for Wireshark to map port to PID. There are some cases where this would fail like when the OS reallocates a port to a different app just before Wireshark queries the OS for PID for a port. So this wont be fool proof and glitch proof but if the user is made aware of these limitations it would still be a useful feature. -
Cameron about 8 yearsThere's also Microsoft Message Analyzer which is basically Microsoft's version of Wireshark (and the sucessor to Network Monitor as I understand), but a little better integrated. In the column chooser, under 'Etw'->'EtwProviderMsg' there's a column for 'PID'. It works well! -
aeb0 over 6 yearsI'm not sure this is a foolproof way. If you have a TCP server listening on a port but have not blocked the kernel's TCP handling, either or both of the kernel or your application could respond on the port. -
Tobias J over 6 yearsThanks for pointing me into the direction of this, it's exactly what I needed. FWIW, the "ProcMon" top-level group seems to contain the same ProcessId, as well as other info such as process name, ParentId, etc. -
r590 over 6 yearsThe exact path is EtwProviderMsg -> EventRecord -> Header -> ProcessId
-
c00000fd about 6 yearsI just tried it and that Microsoft Message Analyzer is such a dull piece of software! Almost brought my system to a crawl. Very counterintuitive UI too. Did anyone find a way to clear the list with collected data? I gave up and uninstalled that piece of garbage. (PS. Too bad that Wireshark devs didn't add a feature to connect PID/Process name to a port in the filter. It's very easy to do. This may be critical to see what's going on in the process during its startup. As a workaround I could get general idea using ProcMon from SysInternals.) -
Vesper about 6 yearsI say just add module to wireshark that listens for port opens/closes and maps PID to port. Sync that with main process and you've got a perfect port-to-process mapper. However, reading the bug from question comment, the module isn't as simple to create. -
Bionix1441 over 5 yearsI have multiple processes running on the loopback interface, I need to know what are the processes that are running in the streams. Can someone tell me if there is a possible way in wireshark ? -
Skipper over 5 yearsI just discovered the Microsoft Message Analyzer recently and it's such a useful tool! How is it possible that I've never heard of it. So underrated. It has great filtering capabilities due to much better integration with Windows than Wireshark. I've switch to it on all of my company hosts within ~3 months of working on daily basis. Huge appreciation to @Cameron for his/her comment under that answer! :-) -
Cameron over 5 years@Skipper: Great! I've actually given up and gone back to wireshark since I find it easier to filter there, but I must admit there's no matching the feature set.
-
Tomáš Zato almost 5 yearsI remember the first time I downloaded wireshark, it showed process tree and you could select a process to monitor. Dunno when this option dissapeared, but it was there. -
angularsen about 3 yearsMicrosoft Message Analyzer was retired as of Nov 25, 2019. They recommend using Wireshark instead. docs.microsoft.com/en-us/openspecs/blog/ms-winintbloglp/… -
sam1370 over 2 years -
not2qubit about 2 yearsPlease note that the x64 version of MMA is ~68.7 MB in size, and end up in:C:\Program Files\Microsoft Message Analyzer\MessageAnalyzer.exe. -
not2qubit about 2 yearsA shorter path is using:
Procmon >> Process >> ProcessIda good alternative is also using: ParentProcessId, ProcessName. Then under Find, use:*ProcessId == 17460. -
Joe Huang almost 2 yearsMMA is dead. MMA is dead.