Filter by process/PID in Wireshark

175,869

Solution 1

I don't see how. The PID doesn't make it onto the wire (generally speaking), plus Wireshark allows you to look at what's on the wire - potentially all machines which are communicating over the wire. Process IDs aren't unique across different machines, anyway.

Solution 2

Just in case you are looking for an alternate way and the environment you use is Windows, Microsoft's Network Monitor 3.3 is a good choice. It has the process name column. You easily add it to a filter using the context menu and apply the filter.. As usual the GUI is very intuitive...

Solution 3

You could match the port numbers from wireshark up to port numbers from, say, netstat which will tell you the PID of a process listening on that port.

Solution 4

Use Microsoft Message Analyzer v1.4

Navigate to ProcessId from the field chooser.

Etw
-> EtwProviderMsg
--> EventRecord
---> Header
----> ProcessId

Right click and Add as Column

Solution 5

If you want to follow an application that still has to be started then it's certainly possible:

  1. Install docker (see https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/)
  2. Open a terminal and run a tiny container: docker run -t -i ubuntu /bin/bash (change "ubuntu" to your favorite distro, this doesn't have to be the same as in your real system)
  3. Install your application in the container using the same way that you would install it in a real system.
  4. Start wireshark in your real system, go to capture > options . In the window that will open you'll see all your interfaces. Instead of choosing any, wlan0, eth0, ... choose the new virtual interface docker0 instead.
  5. Start capturing
  6. Start your application in the container

You might have some doubts about running your software in a container, so here are the answers to the questions you probably want to ask:

  • Will my application work inside a container ? Almost certainly yes, but you might need to learn a bit about docker to get it working
  • Won't my application run slow ? Negligible. If your program is something that runs heavy calculations for a week then it might now take a week and 3 seconds
  • What if my software or something else breaks in the container ? That's the nice thing about containers. Whatever is running inside can only break the current container and can't hurt the rest of the system.
Share:
175,869
Ryan Fernandes
Author by

Ryan Fernandes

Programming a Commodore-C64 in BASIC gave me my first illusion of control. Programming Microcontrollers in Assembly ensured that I did not recover and convinced me to make software development my full time occupation. Currently a JEE practitioner and jQuery enthusiast

Updated on July 08, 2022

Comments

  • Ryan Fernandes
    Ryan Fernandes 11 months

    Is there a way to filter/follow a TCP/SSL stream based on a particular process ID using Wireshark?

  • Ryan Fernandes
    Ryan Fernandes over 13 years
    good point..thats what I thought too.. let me wait for a day before closing this, just incase there is a wireshark ninja out there who manages to do this..
  • Ryan Fernandes
    Ryan Fernandes over 13 years
    well, this might not work..the program opens up and closes a lot of local and remote ports
  • Admin
    Admin over 10 years
    That does, within Wireshark, the "You could match the port numbers from wireshark up to port numbers from, say, netstat which will tell you the PID of a process listening on that port." stuff from Tom Woolfrey's comment, so it is (as the message notes) subject to the limitations of that mechanism.
  • g t
    g t over 9 years
    Microsoft Network Monitor 3.4 is at microsoft.com/en-us/download/details.aspx?id=4865
  • Dojo
    Dojo over 8 years
    Wireshark knows which port is being used and the OS knows the PID of the process that is using the port. With code changes, it should be possible for Wireshark to map port to PID. There are some cases where this would fail like when the OS reallocates a port to a different app just before Wireshark queries the OS for PID for a port. So this wont be fool proof and glitch proof but if the user is made aware of these limitations it would still be a useful feature.
  • Cameron
    Cameron about 8 years
    There's also Microsoft Message Analyzer which is basically Microsoft's version of Wireshark (and the sucessor to Network Monitor as I understand), but a little better integrated. In the column chooser, under 'Etw'->'EtwProviderMsg' there's a column for 'PID'. It works well!
  • aeb0
    aeb0 over 6 years
    I'm not sure this is a foolproof way. If you have a TCP server listening on a port but have not blocked the kernel's TCP handling, either or both of the kernel or your application could respond on the port.
  • Tobias J
    Tobias J over 6 years
    Thanks for pointing me into the direction of this, it's exactly what I needed. FWIW, the "ProcMon" top-level group seems to contain the same ProcessId, as well as other info such as process name, ParentId, etc.
  • r590
    r590 over 6 years
    The exact path is EtwProviderMsg -> EventRecord -> Header -> ProcessId
  • c00000fd
    c00000fd about 6 years
    I just tried it and that Microsoft Message Analyzer is such a dull piece of software! Almost brought my system to a crawl. Very counterintuitive UI too. Did anyone find a way to clear the list with collected data? I gave up and uninstalled that piece of garbage. (PS. Too bad that Wireshark devs didn't add a feature to connect PID/Process name to a port in the filter. It's very easy to do. This may be critical to see what's going on in the process during its startup. As a workaround I could get general idea using ProcMon from SysInternals.)
  • Vesper
    Vesper about 6 years
    I say just add module to wireshark that listens for port opens/closes and maps PID to port. Sync that with main process and you've got a perfect port-to-process mapper. However, reading the bug from question comment, the module isn't as simple to create.
  • Bionix1441
    Bionix1441 over 5 years
    I have multiple processes running on the loopback interface, I need to know what are the processes that are running in the streams. Can someone tell me if there is a possible way in wireshark ?
  • Skipper
    Skipper over 5 years
    I just discovered the Microsoft Message Analyzer recently and it's such a useful tool! How is it possible that I've never heard of it. So underrated. It has great filtering capabilities due to much better integration with Windows than Wireshark. I've switch to it on all of my company hosts within ~3 months of working on daily basis. Huge appreciation to @Cameron for his/her comment under that answer! :-)
  • Cameron
    Cameron over 5 years
    @Skipper: Great! I've actually given up and gone back to wireshark since I find it easier to filter there, but I must admit there's no matching the feature set.
  • Tomáš Zato
    Tomáš Zato almost 5 years
    I remember the first time I downloaded wireshark, it showed process tree and you could select a process to monitor. Dunno when this option dissapeared, but it was there.
  • angularsen
    angularsen about 3 years
    Microsoft Message Analyzer was retired as of Nov 25, 2019. They recommend using Wireshark instead. docs.microsoft.com/en-us/openspecs/blog/ms-winintbloglp/…
  • sam1370
    sam1370 over 2 years
    For anyone looking for a Microsoft Message Analyzer download: https://… <-- 32 bit https://… <-- 64 bit
  • not2qubit
    not2qubit about 2 years
    Please note that the x64 version of MMA is ~68.7 MB in size, and end up in: C:\Program Files\Microsoft Message Analyzer\MessageAnalyzer.exe.
  • not2qubit
    not2qubit about 2 years
    A shorter path is using: Procmon >> Process >> ProcessId a good alternative is also using: ParentProcessId, ProcessName. Then under Find, use: *ProcessId == 17460.
  • Joe Huang
    Joe Huang almost 2 years
    MMA is dead. MMA is dead.