Add a comment to each packet containing the process id (PID)

[DidierStevens]

Added code to add a comment with the process id (PID) to each packet.

https://twitter.com/DidierStevens/status/1211035501920210946

Maybe introduce a command-line option for this.

[msftclas]

All CLA requirements met.

[DidierStevens]

Thanks for the review.

I use it for dynamic malware analysis: run the malware in a VM while doing netsh capture. Then I use Message Analyzer, which displays the PID (and also TID). While preparing a diary entry for SANS ISC's diary, I noticed that Message Analyzer is discontinued, and no longer available for download. Did some more searching for alternative solutions, and found etl2pcapng. Worked very well, but missed the PID, so adapted source code.

When performing dynamic malware analysis, it can sometimes be difficult to distinguish network traffic from Windows services & processes, and network traffic from the malware sample. Having the PID of the malware sample, makes it far easier, even when this information is far from 100% reliable.

Often the network traffic from a malware sample is TCP, and then just a single packet with the PID of the malware is enough in Wireshark is enough, as I can then filter on the TCP stream number, and have the complete TCP stream, even if not all TCP packets of this stream have the correct PID.

As I suggested in my PR, you can also make this optional. Introduce a command-line flag to include the PID as a comment or not.

[maolson-msft]

Sounds good to me! Make those minor changes and then let’s merge it. I don’t think we need to add a command line option for it.

[DidierStevens]

I pushed the changes, and I also retested before pushing.