I'm following the suggestions in this question to allow filtering packets by process ID in a Windows 10 system.
@OneAndOnly recently suggested WinShark, which has a github page here.
It describes the process using "netsh trace" to capture packets and make them available in Wireshark.
As suggested, I ran these commands from an elevated prompt:
C:\WINDOWS\system32>netsh.exe trace start capture=yes report=no correlation=no
Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\Users\******\AppData\Local\Temp\NetTraces\NetTrace.etl
Append: Off
Circular: On
Max Size: 512 MB
Report: Off
C:\WINDOWS\system32>logman start Winshark-PacketCapture -p "Microsoft-Windows-NDIS-PacketCapture" -rt -ets
The command completed successfully.
C:\WINDOWS\system32>
I then started Wireshark 4.2.4. following the instruction to "Then launch Wireshark with administrator privileges and select Winshark-PacketCapture interface:"
Unfortunately, there is no Winshark-PacketCapture interface in the list of interfaces.
I looked in the ...\AppData\Local\Temp\NetTraces\ directory, and NetTrace.etl is zero bytes after running for 15-20 minutes of activity. How can I proceed to be able to filter network traffic on process ID?
Edit - after shutting down the capture with ">netsh.exe trace stop", it displayed output that included "Generating data collection ... done" and wrote a 450 Mbyte NetTrace.etl file. Wireshark still does not offer the Winshark-PacketCapture interface.