Filter by process / PID in Wireshark

Use Microsoft Message Analyzer v1.4

Go to ProcessId from the selection box.

Etw -> EtwProviderMsg --> EventRecord ---> Header ----> ProcessId 

Right click and add as column

Windows has an experimental build that does this, as described on the mailing list, Filter by local process name

This is an important thing you can do to monitor which some processes are trying to connect with, and there seems to be no convenient way to do this on Linux. However, some workarounds are possible, and so I think they are worth mentioning.

There is a program called nonet that allows you to run the program without Internet access (I have most of the software launchers in my system configured with it). It uses setguid to start the process in the nonet group and sets the iptables rule to refuse all connections from this group.

Update: now I use an even simpler system, you can easily have an readable iptables configuration with ferm and just use the sg program to run the program with a specific group. Iptables also offers you to redirect traffic so that you can even redirect it to a separate interface or local proxy server to a port that allows you to filter wirehark or LOG packets directly from iptables if you do not want to disconnect the entire Internet while you check the traffic .

It’s not very difficult to adapt it to run the program in a group and cut out all other traffic using iptables for runtime, and then you can capture traffic only from this process.

If I ever start writing, I'll post a link here.

On the other hand, you can always start the process in a virtual machine and sniff the correct interface to isolate the connections it makes, but that would be a good solution ...

If you want to keep track of an application that still needs to be launched, then this is certainly possible:

1. Install docker (see https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/ ).
2. Open a terminal and run a tiny container: docker run -t -i ubuntu/bin/bash (change "ubuntu" to your favorite distribution, it should not be the same as on your real system)
3. Install your application in the container in the same way as in the real system.
4. Run wireshark on your real system, go to "capture"> parameters. In the window that opens, you will see all your interfaces. Instead of selecting any , wlan0 , eth0 , ... instead, select the new docker0 virtual interface.
5. Start capture
6. Run your application in a container

You may have some doubts about running your software in a container, so here are the answers to the questions you probably want to ask:

• Will my application work inside a container? Almost certainly yes, but you may need to learn a little about the docker to make it work.
• My application will not work slowly? Insignificantly. If your program performs heavy calculations within a week, now it can take a week and 3 seconds.
• What if my software or something else breaks in the container? This is a good thing about containers. Everything that works inside can only break the current container and not damage the rest of the system.

In some cases, you cannot filter by process ID. For example, in my case, I needed to sniff traffic from one process. But I found in his IP address the target destination configuration, added the ip.dst==someip and voila. In any case, this will not work, but for some it is useful.

Get the port number using netstat :

 netstat -b 

And then use the Wireshark filter:

 tcp.port == portnumber 

Try Omnipeek. This is very useful in such cases, I can only track traffic for a specific application.