0

Sounds dumb, but can you extract application name from a packet/pcap.

For eg: If a packet destination is to chrome process, can you extract that information from packet?

Improve this question

2 Answers 2

Reset to default
0

The process name or something like this is not part of the packet. In many cases one can look at the packet itself to determine the kind of application protocol using heuristics. One can also extract source and destination IP address and port from the packet. This together might be used to make an educated guess about the process which caused the packet though, but this guess might also be wrong.

Improve this answer
0

IP packet headers do not contain information about the process which caused them (if any); the IP packet payload may, though. The same packet may, at different times, be sent by different applications.

But you can (as root) ask the Linux kernel to which application the socket for that address belongs.

You can either grep through the output of e.g. ss -ntup or ask ss directly:

ss -anp 'src = 192.168.122.3:22'
Netid             State             Recv-Q             Send-Q                           Local Address:Port                            Peer Address:Port              Process                                      
tcp               ESTAB             0                  0                                192.168.122.3:22                             192.168.122.1:58552              users:(("sshd",pid=27425,fd=4))             
tcp               ESTAB             0                  0                                192.168.122.3:22                             192.168.122.1:40662              users:(("sshd",pid=7228,fd=4),("sshd",pid=7217,fd=4))
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.