Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add a comment to each packet containing the process id (PID) #15
Added code to add a comment with the process id (PID) to each packet.
Maybe introduce a command-line option for this.
maolson-msft left a comment
Thanks for this contribution! I've added comments requesting minor changes to the code, but I have a bigger concern: besides the obvious issue of PIDs being valid only while the process is still around (which most people should understand intuitively), there's a less intuitive problem: inbound packets, and frequently also outbound packets, will be traced in DPCs which run in arbitrary process context. This means the recorded PID will be misleading as often or more often than it is enlightening. Can you tell me how you've made use of this feature?
Thanks for the review.
I use it for dynamic malware analysis: run the malware in a VM while doing netsh capture.
When performing dynamic malware analysis, it can sometimes be difficult to distinguish network traffic from Windows services & processes, and network traffic from the malware sample. Having the PID of the malware sample, makes it far easier, even when this information is far from 100% reliable.
Often the network traffic from a malware sample is TCP, and then just a single packet with the PID of the malware is enough in Wireshark is enough, as I can then filter on the TCP stream number, and have the complete TCP stream, even if not all TCP packets of this stream have the correct PID.
As I suggested in my PR, you can also make this optional. Introduce a command-line flag to include the PID as a comment or not.