Wireshark 4.6.0 Supports macOS Pktap Metadata (PID, Process Name, etc.)
7 months ago
- #macOS
- #Wireshark
- #Network Monitoring
- Wireshark 4.6.0现已支持从macOS网络抓包中解析进程元数据
- 使用tcpdump时添加'pktap'接口参数可捕获含进程信息的网络数据包
- 示例命令:'tcpdump -i pktap,en0 -w outfile.pcapng' 或 'tcpdump -i pktap,all host 192.168.0.6 -w outfile.pcapng'
- 在Wireshark中打开抓包文件,通过'帧→进程信息'查看进程名称、PID等详细信息
- 使用'frame.darwin.process_info'字段过滤抓包,例如:'frame.darwin.process_info.pname == "firefox"' 或 'frame.darwin.process_info.pid == 92046'
- 该功能有助于识别异常网络流量或监控进程网络活动