maolson-msft
commented
6 months ago Hi @mkurkute , this is a known shortcoming documented in the Usage section of the readme, which I've pasted below. Unfortunately there's no practical fix for this problem, because the layer of the network stack at which packets are captured is below the layer at which packets are matched to applications' sockets. So if you use the PID annotations, you have to treat it as a fuzzy signal. (the outbound packets tend to be marked with the correct PID, since they tend to be issued to NDIS in the actual application thread, although even this is not guaranteed.)
[From README.md:] The output pcapng file will have a comment on each packet indicating the PID of the current process when the packet was logged. WARNING: this is frequently not the same as the actual PID of the process which caused the packet to be sent or to which the packet was delivered, since the packet capture provider often runs in a DPC (which runs in an arbitrary process). The user should keep this in mind when using the PID information.
Please see attached screenshot. TCP protocol always has PID 4 , expected is 3492