It supports ETW as an input format, but I (personally) haven't yet gotten my head around how to do the same.
My current worflow is capture with pktmon, then analysis in Microsoft Network Monitor to expose PID stuff.
I figure there /has/ to be a way to do it similarly in Wireshark, I just haven't found a how-to and haven't dug into it myself. Once I do (it's on my casual todo list) I'll do a writeup on that as well, since it'd be super useful.
> ptcpdump is a tcpdump-compatible packet analyzer powered by eBPF, automatically annotating packets with process/container/pod metadata when detectable. Inspired by jschwinger233/skbdump.
It supports ETW as an input format, but I (personally) haven't yet gotten my head around how to do the same.
My current worflow is capture with pktmon, then analysis in Microsoft Network Monitor to expose PID stuff.
I figure there /has/ to be a way to do it similarly in Wireshark, I just haven't found a how-to and haven't dug into it myself. Once I do (it's on my casual todo list) I'll do a writeup on that as well, since it'd be super useful.
ptcpdump: https://github.com/mozillazg/ptcpdump :
> ptcpdump is a tcpdump-compatible packet analyzer powered by eBPF, automatically annotating packets with process/container/pod metadata when detectable. Inspired by jschwinger233/skbdump.
awesome-ebpf > Tools: https://github.com/zoidyzoidzoid/awesome-ebpf#tools
opensnitch is an egress firewall that displays PIDs: https://github.com/evilsocket/opensnitch
edgeshark: https://github.com/siemens/edgeshark :
> Discover and capture container network traffic from your comfy desktop Wireshark, using a containerized service and a Wireshark plugin.
Looks like it's possible to select containers from a GUI form with edgeshark. Perhaps something similar for process selection?