* src:dst matches src -> dst or dst -> src (established/connecting/closed/.) */įor (e = pair_hash e e = e->next) Static guint lookup_addrs(guint16 proto, guint src_ip, guint16 src_port, guint dst_ip, guint16 dst_port) _snprintf(e->name, len + 1, "%.*S", len, process_name) * must convert properly using WideCharToMultiByte here */ Len = GetProcessImageFileName(hproc, process_name, MAX_PATH) Į = g_malloc(offsetof(procinfo_t, name) + (len + 1))
Hproc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid) When querying within a hash table, notice that the effect of loops is to query all procinfo_with the same hash value T-structureįor (e = process_hash e e = e->next) ** returns the name of the process based on the src:port - dst:port data from tvb */Ĭonst char *process_info_lookup(tvbuff_t *tvb) * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * along with this program if not, write to the Free Software * You should have received a copy of the GNU General Public License * GNU General Public License for more details. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * but WITHOUT ANY WARRANTY without even the implied warranty of * This program is distributed in the hope that it will be useful, * of the License, or (at your option) any later version. * as published by the Free Software Foundation either version 2 * modify it under the terms of the GNU General Public License * This program is free software you can redistribute it and/or * Process information (pid, process name) This is done through process_info.h and process_info.c implementation. Under windows, you can use the netstat command to query the source address, destination address, port and process PID for each connection. Get the process corresponding to the IP packetįirst, associate the process with the port number. I am modifying on the basis of this version: I implemented it in a recent version with reference to its code and found it really works.
Wireshark-dev: Re: Filter by local process name.I found an implementation when I checked the materials online, but the version is older, November 2012.
In particular, when we need to analyze the protocol for a particular program, it's perfect to have a process name as a filter. When using wireshark, one of the most frustrating things is filtering out what you need from a large number of data packets.
0 kommentar(er)
