> On Apr 28, 2025, at 12:00 PM, Omer Shapira <omer_shap...@apple.com> wrote: > > > >> On Apr 25, 2025, at 6:18 PM, Guy Harris <ghar...@sonic.net> wrote: >> >> On Apr 25, 2025, at 12:49 PM, Guy Harris <ghar...@sonic.net> wrote: >> >>> To quote a comment from Wireshark's emacs >>> epan/dissectors/file-pcapng-darwin.c file (which dissects Process Event >>> Blocks if you're using Wireshark as "Fileshark" on a pcapng file that >>> contains Process Event Blocks; there is currently no code to handle Process >>> Event Blocks if you're reading a capture file to see the packets rather >>> than to see the file's structure): >>> >>> /* >>> * Apple's Pcapng Darwin Process Event Block >>> * >>> * A Darwin Process Event Block (DPEB) is an Apple defined container >>> * for information describing a Darwin process. >>> * >>> * Tools that write / read the capture file associate an incrementing >>> * 32-bit number (starting from '0') to each Darwin Process Event Block, >> >> By the way, what constitutes an "event" here? > > Sadly, those are not “events”, see below. > >> Are all process creations logged with a PEB, or does one appear when the >> first packet associated with a process is sent or received? >> >> Is a process exiting, or doing an exec-family call, logged? > > Darwin PEBs (DPEBs) do not contain any timing information, and does not > pretend to reflect the scheduler state machine. Rather, the DPEBs only > contain the description of processes, and the order in which DPEBs appear in > pcapng is dictated by the order of the “first appearance” of a particular > process in the EPB. > > In other words, the Darwin tcpdump will only inject a DPEB when it sees a > packet, which is associated with a process that has not been observed before. > > In yet another words, DPEBs are a way to compress the per-packet information > so that the (expensive) information about the process wouldn’t have to be > repeated for every packet.
To add to that. FWIW, the Darwin tcpdump refers to what Wireshark calls DPEBs by the name of “PIBs” - “process information blocks”, e.g. https://github.com/apple-opensource-mirror/tcpdump/blob/master/tcpdump/tcpdump.c#L3297 Hence, the name “event” which suggests some sort of discrete timing information and some kind of state machine, is misleading in this case. > > >> See also other process information block ideas, such as: >> >> https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-pcap/issues/164 >> >> https://github.com/google/linux-sensor/blob/master/hone-pcapng.txt and >> https://github.com/HoneProject/Linux-Sensor/wiki/Augmented-PCAP-Next-Generation-Dump-File-Format > > Those ideas appear to be related but not *same*. I would rather not increase > the scope of the current discussion, but keep those in mind. > > >> _______________________________________________ >> Wireshark-dev mailing list -- wireshark-dev@wireshark.org >> <mailto:wireshark-dev@wireshark.org> >> To unsubscribe send an email to wireshark-dev-le...@wireshark.org >> <mailto:wireshark-dev-le...@wireshark.org>
_______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org
