{"id":19973,"date":"2025-10-14T10:17:30","date_gmt":"2025-10-14T14:17:30","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=19973"},"modified":"2025-10-14T10:17:32","modified_gmt":"2025-10-14T14:17:32","slug":"wireshark-4-6-0-supports-macos-pktap-metadata-pid-process-name-etc","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2025\/10\/14\/wireshark-4-6-0-supports-macos-pktap-metadata-pid-process-name-etc\/","title":{"rendered":"Wireshark 4.6.0 Supports macOS pktap Metadata (PID, Process Name, etc.)"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"502\" src=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-1024x502.png\" alt=\"\" class=\"wp-image-19974\" srcset=\"https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-1024x502.png 1024w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-300x147.png 300w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-768x377.png 768w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-1536x754.png 1536w, https:\/\/nuxx.net\/blog\/wp-content\/uploads\/2025\/10\/image-2048x1005.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n<\/div>\n\n\n<p>Four years after my post on doing <a href=\"https:\/\/nuxx.net\/blog\/2021\/10\/29\/network-capture-with-process-name-and-pid-on-macos\/\" data-type=\"post\" data-id=\"19460\">network captures on macOS with Process ID<\/a>, <a href=\"https:\/\/www.wireshark.org\/docs\/relnotes\/wireshark-4.6.0.html\">Wireshark 4.6.0 has been released<\/a> which includes support for parsing this extra metadata, including the process info.<\/p>\n\n\n\n<p>So how do you do it? Easy! You just need the <code>pktap<\/code> interface parameter.<\/p>\n\n\n\n<p>From the <a href=\"https:\/\/manp.gs\/mac\/1\/tcpdump\">tcpdump(1) man page<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Alternatively, to capture on more than one interface at a time, one may use &#8220;pktap&#8221; as the <em>interface<\/em> parameter followed by an optional list of comma separated interface names to include. For example, to capture on the loopback and en0 interface:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -i pktap,lo0,en0<\/pre>\n\n\n\n<p>An <em>interface<\/em> argument of &#8220;all&#8221; or &#8220;pktap,all&#8221; can be used to capture packets from all interfaces, including loopback and tunnel interfaces. A pktap pseudo interface provides for packet metadata using the default PKTAP data link type and files are written in the Pcap-ng file format. The RAW data link type must be used to force to use the legacy <strong>pcap-savefile<\/strong>(5) file format with a ptkap pseudo interface. Note that captures on a ptkap pseudo interface will not be done in promiscuous mode.<\/p>\n<\/blockquote>\n\n\n\n<p>Therefore, we just need something like:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tcpdump -i pktap,en0 -w outfile.pcapng<\/code><\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tcptump -i pktap,all host 192.168.0.6 -w outfile.pcapng<\/code><\/pre>\n\n\n\n<p>And then open <code>outfile.pcapng<\/code> in <em>Wireshark <\/em>and under <em>Frame <\/em>\u2192 <em>Process Information<\/em> you can find the process name, PID, etc. (See screenshot above.)<\/p>\n\n\n\n<p>Filtering can be done with <code>frame.darwin.process_info<\/code> as listed <a href=\"https:\/\/www.wireshark.org\/docs\/dfref\/f\/frame.html\">here<\/a>. For example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>frame.darwin.process_info.pname == \"firefox\"<\/code><\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>frame.darwin.process_info.pid == 92046<\/code><\/pre>\n\n\n\n<p>This is super helpful to figure out both what unexpected network traffic is being generated by and the inverse, what a process is doing on the network. And now thanks to Wireshark 4.6.0 it&#8217;s even easier.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Four years after my post on doing network captures on macOS with Process ID, Wireshark 4.6.0 has been released which includes support for parsing this&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/nuxx.net\/blog\/2025\/10\/14\/wireshark-4-6-0-supports-macos-pktap-metadata-pid-process-name-etc\/\">Continue reading<span class=\"screen-reader-text\">Wireshark 4.6.0 Supports macOS pktap Metadata (PID, Process Name, etc.)<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-19973","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=19973"}],"version-history":[{"count":1,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19973\/revisions"}],"predecessor-version":[{"id":19975,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/19973\/revisions\/19975"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=19973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=19973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=19973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}