My current worflow is capture with pktmon, then analysis in Microsoft Network Monitor to expose PID stuff.
I figure there /has/ to be a way to do it similarly in Wireshark, I just haven't found a how-to and haven't dug into it myself. Once I do (it's on my casual todo list) I'll do a writeup on that as well, since it'd be super useful.
> ptcpdump is a tcpdump-compatible packet analyzer powered by eBPF, automatically annotating packets with process/container/pod metadata when detectable. Inspired by jschwinger233/skbdump.
awesome-ebpf > Tools: https://github.com/zoidyzoidzoid/awesome-ebpf#tools
opensnitch is an egress firewall that displays PIDs: https://github.com/evilsocket/opensnitch
edgeshark: https://github.com/siemens/edgeshark :
> Discover and capture container network traffic from your comfy desktop Wireshark, using a containerized service and a Wireshark plugin.
Looks like it's possible to select containers from a GUI form with edgeshark. Perhaps something similar for process selection?
Not creating a capture and then downloading it, actual real time network captures.
[0] https://gist.github.com/milesrichardson/fcec8c6d54a21845dd9f...
happyPersonR•3mo ago
armitron•3mo ago
Anyone who relies on non-trivial packet capture or processing workflows, ditches Wireshark (optionally reusing dissectors) and writes custom tooling (which is very easy to do).
ellg•3mo ago
I would absolutely love for someone to write a good alternative to wireshark.
elevation•3mo ago
Once loaded, you have to be super careful. One update to the filter bar, like "!icmp" and you'll have to wait another 20 minutes for all the dissectors to be re-run (for some reason.)
As a previous commenter stated, if you work with Wireshark a lot, you eventually write your own tool for your performance needs. It feels magical to have a 3-page C program sitting over libpcap giving reports in miliseconds that would take wireshark minutes.
rhynolite•3mo ago
It is quite easy to write specialized performance tools on top of `sharkd`, and since it has the entire power of the EPAN (including statistics, charts etc.), using `sharkd` is significantly more effective than reading straight from libpcap.
vdm•3mo ago
rhynolite•3mo ago
colechristensen•3mo ago
Any demos available of something like this?
elevation•3mo ago
https://manpages.debian.org/stretch/libpcap0.8-dev/pcap_open...
ellg•3mo ago
As it stands though, using the gui bits of the wireshark family of tools is just painful, and slow (as you stated)
bobthebuilders•3mo ago
c0nsumer•3mo ago
Can you provide a reference? From what I can see this dissection was only added about five months ago: https://gitlab.com/wireshark/wireshark/-/commit/389f6356c9d5...
(And just hit release with 4.6.0.)
And I know with certainty that it did not work when I wrote my previous blog post about this, back in 2021.
So, from what I can see, the specific functionality to dissect Darwin metadata in pcapng captures, from macOS' tcpdump, has not been "...available for years.".
ItsHarper•3mo ago
j45•3mo ago
VPNs have existed for a long time, while wireshark is the current new curve, there will always be the next curve that emerges and evolves to replace the current one.
trillic•3mo ago
j45•3mo ago
Wireshark is great.
fujigawa•3mo ago
> People don’t realize there’s no real alternative
EtherPeek/OmniPeek has entered the chat
There were tools before Wireshark, and there will be tools after it's long gone. Just because you haven't heard of them doesn't mean they don't exist!