1 Feb 05:27
[Bug 1184] *Shark should support associating TCP and UDP packets with processes
<bugzilla-daemon <at> wireshark.org>
2012-02-01 04:27:15 GMT
2012-02-01 04:27:15 GMT
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1184 --- Comment #3 from Guy Harris <guy <at> alum.mit.edu> 2012-01-31 20:27:13 PST --- So, for Linux, it appears you have to scan /proc/net/{tcp,udp,tcp6,udp6} to find the socket for the TCP connection/UDP whatever in question, and then scan /proc looking at all processes looking for an FD that refers to that socket. Sadly, for TCP, there's no way to skip the scan, even though there's going to be kernel code to look up a pair of endpoints to find the connection; for UDP, you can't even necessarily use both endpoints, as you might have an unbound socket sending to a variety of different destinations. You also can't avoid the /proc scan - after all, there might be *more than one* process with file descriptors referring to that socket. Note: most of the last two paragraphs - the UDP and the "scanning the process table" part - applies to *all* OSes. For FreeBSD, the net.inet.tcp.pcblist and net.inet.udp.pcblist sysctls will give you all TCP and UDP connections; again, no way to skip the scan. The "struct xsocket" that's part of the "struct xtcpcb" returned for TCP and the "struct xinpcb" returned for UDP includes a pointer to the socket structure in the kernel - not useful as a pointer, but could be useful as a handle. The kern.proc.all sysctl will give you all processes as "struct kinfo_proc"; it has a copy of the p_fd pointer for the process. Sadly, it appears you also have to get the *entire* file table with the kern.file sysctl - no fetching the file table for a given process. For DragonFly BSD, the same stuff will probably work, given DragonFly's FreeBSD origins; a quick look at the code suggests it will. For Mac OS X, it looks as if the pcblist sysctls are there (with some(Continue reading)
RSS Feed