Wireshark-bugs: [Wireshark-bugs] [Bug 1184] *Shark should support associating TCP and UDP packet
Date: Mon, 1 Oct 2012 15:21:05 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1184

--- Comment #5 from Guy Harris <guy@xxxxxxxxxxxx> 2012-10-01 15:21:04 PDT ---
And OS X 10.8 tags some packets with the process ID and "process name" (first
16 bytes of the last component of the pathname of the executable) and exposes
that with private BPF extensions:

    http://www.opensource.apple.com/source/xnu/xnu-2050.7.9/bsd/net/bpf.h

(not in the public /usr/include/net/bpf.h).  That appears to be
TCP-and-UDP-only - and may only happen for outgoing packets (they may be the
only ones where the flow hash value is set, from a quick look.  That
information gets exposed by tcpdump in pcap-NG comments(!) if you specify the
-P flag to get tcpdump to write out pcap-NG files.

HoNe, on Linux:

    http://static.usenix.org/event/lisa06/tech/full_papers/fink/fink.pdf

adds kernel Netfilter hooks and uses them to capture traffic and associate
packets with processes.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.