> On Apr 25, 2025, at 6:18 PM, Guy Harris <ghar...@sonic.net> wrote: > > On Apr 25, 2025, at 12:49 PM, Guy Harris <ghar...@sonic.net> wrote: > >> To quote a comment from Wireshark's emacs >> epan/dissectors/file-pcapng-darwin.c file (which dissects Process Event >> Blocks if you're using Wireshark as "Fileshark" on a pcapng file that >> contains Process Event Blocks; there is currently no code to handle Process >> Event Blocks if you're reading a capture file to see the packets rather than >> to see the file's structure): >> >> /* >> * Apple's Pcapng Darwin Process Event Block >> * >> * A Darwin Process Event Block (DPEB) is an Apple defined container >> * for information describing a Darwin process. >> * >> * Tools that write / read the capture file associate an incrementing >> * 32-bit number (starting from '0') to each Darwin Process Event Block, > > By the way, what constitutes an "event" here?
Sadly, those are not “events”, see below. > Are all process creations logged with a PEB, or does one appear when the > first packet associated with a process is sent or received? > > Is a process exiting, or doing an exec-family call, logged? Darwin PEBs (DPEBs) do not contain any timing information, and does not pretend to reflect the scheduler state machine. Rather, the DPEBs only contain the description of processes, and the order in which DPEBs appear in pcapng is dictated by the order of the “first appearance” of a particular process in the EPB. In other words, the Darwin tcpdump will only inject a DPEB when it sees a packet, which is associated with a process that has not been observed before. In yet another words, DPEBs are a way to compress the per-packet information so that the (expensive) information about the process wouldn’t have to be repeated for every packet. > See also other process information block ideas, such as: > > https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-pcap/issues/164 > > https://github.com/google/linux-sensor/blob/master/hone-pcapng.txt and > https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format Those ideas appear to be related but not *same*. I would rather not increase the scope of the current discussion, but keep those in mind. > _______________________________________________ > Wireshark-dev mailing list -- wireshark-dev@wireshark.org > To unsubscribe send an email to wireshark-dev-le...@wireshark.org _______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org
