My current worflow is capture with pktmon, then analysis in Microsoft Network Monitor to expose PID stuff.
I figure there /has/ to be a way to do it similarly in Wireshark, I just haven't found a how-to and haven't dug into it myself. Once I do (it's on my casual todo list) I'll do a writeup on that as well, since it'd be super useful.
Not creating a capture and then downloading it, actual real time network captures.
[0] https://gist.github.com/milesrichardson/fcec8c6d54a21845dd9f...
happyPersonR•3h ago
armitron•3h ago
Anyone who relies on non-trivial packet capture or processing workflows, ditches Wireshark (optionally reusing dissectors) and writes custom tooling (which is very easy to do).
ellg•3h ago
I would absolutely love for someone to write a good alternative to wireshark.
elevation•2h ago
Once loaded, you have to be super careful. One update to the filter bar, like "!icmp" and you'll have to wait another 20 minutes for all the dissectors to be re-run (for some reason.)
As a previous commenter stated, if you work with Wireshark a lot, you eventually write your own tool for your performance needs. It feels magical to have a 3-page C program sitting over libpcap giving reports in miliseconds that would take wireshark minutes.
rhynolite•2h ago
It is quite easy to write specialized performance tools on top of `sharkd`, and since it has the entire power of the EPAN (including statistics, charts etc.), using `sharkd` is significantly more effective than reading straight from libpcap.
vdm•1h ago
rhynolite•1h ago
colechristensen•2h ago
Any demos available of something like this?
ellg•1h ago
As it stands though, using the gui bits of the wireshark family of tools is just painful, and slow (as you stated)
j45•14m ago
trillic•7m ago