On Apr 25, 2025, at 12:49 PM, Guy Harris <ghar...@sonic.net> wrote:
> To quote a comment from Wireshark's emacs
> epan/dissectors/file-pcapng-darwin.c file (which dissects Process Event
> Blocks if you're using Wireshark as "Fileshark" on a pcapng file that
> contains Process Event Blocks; there is currently no code to handle Process
> Event Blocks if you're reading a capture file to see the packets rather than
> to see the file's structure):
>
> /*
> * Apple's Pcapng Darwin Process Event Block
> *
> * A Darwin Process Event Block (DPEB) is an Apple defined container
> * for information describing a Darwin process.
> *
> * Tools that write / read the capture file associate an incrementing
> * 32-bit number (starting from '0') to each Darwin Process Event Block,
By the way, what constitutes an "event" here?
Are all process creations logged with a PEB, or does one appear when the first
packet associated with a process is sent or received?
Is a process exiting, or doing an exec-family call, logged?
See also other process information block ideas, such as:
https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-pcap/issues/164
https://github.com/google/linux-sensor/blob/master/hone-pcapng.txt and
https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@wireshark.org
To unsubscribe send an email to wireshark-dev-le...@wireshark.org
