{"id":19973,"date":"2025-10-14T10:17:30","date_gmt":"2025-10-14T14:17:30","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=19973"},"modified":"2025-10-14T10:17:32","modified_gmt":"2025-10-14T14:17:32","slug":"wireshark-4-6-0-supports-macos-pktap-metadata-pid-process-name-etc","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2025\/10\/14\/wireshark-4-6-0-supports-macos-pktap-metadata-pid-process-name-etc\/","title":{"rendered":"Wireshark 4.6.0 Supports macOS pktap Metadata (PID, Process Name, etc.)"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"502\" src=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-1024x502.png\" alt=\"\" class=\"wp-image-19974\" srcset=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-1024x502.png 1024w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-300x147.png 300w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-768x377.png 768w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-1536x754.png 1536w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-2048x1005.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Four years after my post on doing <a href=\"https:\/\/nuxx.net\/blog\/2021\/10\/29\/network-capture-with-process-name-and-pid-on-macos\/\" data-type=\"post\" data-id=\"19460\">network captures on macOS with Process ID<\/a>, <a href=\"https:\/\/www.wireshark.org\/docs\/relnotes\/wireshark-4.6.0.html\">Wireshark 4.6.0 has been released<\/a> which includes support for parsing this extra metadata, including the process info.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So how do you do it? Easy! You just need the <code>pktap<\/code> interface parameter.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From the <a href=\"https:\/\/manp.gs\/mac\/1\/tcpdump\">tcpdump(1) man page<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Alternatively, to capture on more than one interface at a time, one may use &#8220;pktap&#8221; as the <em>interface<\/em> parameter followed by an optional list of comma separated interface names to include. For example, to capture on the loopback and en0 interface:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -i pktap,lo0,en0<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">An <em>interface<\/em> argument of &#8220;all&#8221; or &#8220;pktap,all&#8221; can be used to capture packets from all interfaces, including loopback and tunnel interfaces. A pktap pseudo interface provides for packet metadata using the default PKTAP data link type and files are written in the Pcap-ng file format. The RAW data link type must be used to force to use the legacy <strong>pcap-savefile<\/strong>(5) file format with a ptkap pseudo interface. Note that captures on a ptkap pseudo interface will not be done in promiscuous mode.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Therefore, we just need something like:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tcpdump -i pktap,en0 -w outfile.pcapng<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tcptump -i pktap,all host 192.168.0.6 -w outfile.pcapng<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And then open <code>outfile.pcapng<\/code> in <em>Wireshark <\/em>and under <em>Frame <\/em>\u2192 <em>Process Information<\/em> you can find the process name, PID, etc. (See screenshot above.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Filtering can be done with <code>frame.darwin.process_info<\/code> as listed <a href=\"https:\/\/www.wireshark.org\/docs\/dfref\/f\/frame.html\">here<\/a>. For example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>frame.darwin.process_info.pname == \"firefox\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>frame.darwin.process_info.pid == 92046<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This is super helpful to figure out both what unexpected network traffic is being generated by and the inverse, what a process is doing on the network. And now thanks to Wireshark 4.6.0 it&#8217;s even easier.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Four years after my post on doing network captures on macOS with Process ID, Wireshark 4.6.0 has been released which includes support for parsing this extra metadata, including the process info. So how do you do it? Easy! You just need the pktap interface parameter. From the tcpdump(1) man page: Alternatively, to capture on more\u2026<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-19973","post","type-post","status-publish","format-standard","hentry","category-computers"],"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=19973"}],"version-history":[{"count":1,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19973\/revisions"}],"predecessor-version":[{"id":19975,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19973\/revisions\/19975"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=19973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=19973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=19973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}