一 简介在使用wireshark时,最烦恼的事莫过于在海量的数据包筛选出所需要的内容。特别我们需要分析一个特定的程序的协议时,这时候如果有一个可以把进程名作为过滤器就完美了。在上网查阅资料时发现有一个实现,不过版本比较古老,是2012年十一月的,原文在这里:Wireshark · Wireshark-dev: Re: [Wireshark-dev] [PATCH] Filter by local process name我参照它的代码在最近的版本中实现了一下,发现确实可用。我在这个版本的基础
一 简介
在使用wireshark时,最烦恼的事莫过于在海量的数据包筛选出所需要的内容。特别我们需要分析一个特定的程序的协议时,这时候如果有一个可以把进程名作为过滤器就完美了。在上网查阅资料时发现有一个实现,不过版本比较古老,是2012年十一月的,原文在这里:
Wireshark · Wireshark-dev: Re: [Wireshark-dev] [PATCH] Filter by local process name
我参照它的代码在最近的版本中实现了一下,发现确实可用。
我在这个版本的基础上修改:
Revision: 0b8acdaf689b6a4bd3d6fc7c14ac20f172831a3e
Author: Oscar Gonzalez de Dios <oscar.gonzalezdedios@telefonica.com>
Date: 2021/7/28 22:38:58
Message:
Fixed trailing whitespaces
----
Modified: epan/dissectors/packet-pcep.c
二 获取IP包对应的进程
首先要把进程和端口号关联在一起,每个连接使用的端口都是唯一的,在windows下可以使用netstat命令查询每个连接对应的源地址、目标地址、端口和进程PID。这里是通过process_info.h和process_info.c实现。
process_info.h
/* process_info.h
* Process information (pid, process name)
*
* $Id$
*
* Wireshark - Network traffic analyzer
* By Bogdan Harjoc <harjoc@gmail.com>
* Copyright 1998 Gerald Combs
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef __PROCESS_INFO_H__
#define __PROCESS_INFO_H__
#include <epan/packet.h>
/** returns the name of the process based on the src:port - dst:port data from tvb */
const char *process_info_lookup(tvbuff_t *tvb);
#endif /* process_info.h */process_info.c
/* process_info.c
* Process information (pid, process name)
*
* $Id$
*
* Wireshark - Network traffic analyzer
* By Bogdan Harjoc <harjoc@gmail.com>
* Copyright 1998 Gerald Combs
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef _WIN32
#include "config.h"
#include <glib.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include &l
最低0.47元/天 解锁文章
1871
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
