1

Is there a quick way to determine what applications are present within a Wireshark capture? If so how

As most captures contain over 10 thousand lines, I can't expect people would by hand check which ports have been utilised and the applications associated with each for each of 10 thousand lines (most of which TCP packets).

So is there a quick way from a Wireshark captures to determine which applications have been mentioned?

Usage
  • 11
  • 2

1 Answers1

3

WireShark sits too low in the network stack to have any information on which processes sent or received traffic. The trick is to know something about what you're looking for - it shouldn't take that long to isolate traffic by Source IP, Destination IP, Source Port or Destination Port.

Dan
  • 15,430
  • 1
  • 36
  • 67
  • But for that to be the case you'd either need to know which applications are going to be detected (which defeats the point of checking), or you'll need to know such information about every single application ever developed. Unless I'm missing something. – Usage Apr 05 '16 at 12:14
  • @Usage, but if you don't have that, Wireshark would have to know about every single application ever developed. Including the one I just wrote five minutes ago and sent some traffic. – dsolimano Apr 05 '16 at 12:46
  • @Usage I'm just not sure what your use case it. I use WireShark fairly often and I always know SOMETHING about what I'm diagnosing. I don't know how you could use WireShark without understanding what you're looking for. What's your use case here - I've never heard of anyone proactively looking at WireShark logs just for fun – Dan Apr 05 '16 at 12:54