How to Capture Network Packets Per Pid

Filter by process/PID in Wireshark

I don't see how. The PID doesn't make it onto the wire (generally speaking), plus Wireshark allows you to look at what's on the wire - potentially all machines which are communicating over the wire. Process IDs aren't unique across different machines, anyway.

Capture TCP traffic from a known process when it starts

You can use tcpdump command in order to capture the traffic from/to your machine.
The size of the packets, port, interface, protocol and lots of parameters are covered by that.
for example: sudo tcpdump -i eth0 src/dst xxx.xxx.xxx.xxx port x

for more detail, please check the tcpdump manual page.
Note, be careful about printing the output to the file, because the result of the packet capturing command will be huge.

BR,

Capture pid of process using port 6881 only once every 15 min

You can't do this with TCPDump, obviously, but you can do this from the host itself. Especially since it's UDP with no state, and since you can't predict when the process will be listening, you should look into using the kernel audit capabilities. For example:

 auditctl -a exit,always -F arch=b64 -F a0=2 -F a1\&=2 -S socket -k SOCKET

This instructs the kernel to generate an audit event whenever there is a socket call. With this done, you can then wait until you see the suspicious packet leave the machine and then use ausearch to track down not only the process, but the binary that made the call.

Can WinPcap be used to capture network traffic per process?

I doubt it. WinPcap is a windows version of libpcap on unix. And libpcap can't do it.

You could try a two-step process: find the local ports used by the application and filter on that. I don't know how to find that on Windows.

Network capture toolset that store a buffer and saves on a trigger

You could try running a script that launches 2 instances of dumpcap, one to capture all traffic into a ring buffer of limited duration and files, and the other instance to merely wait for the capture event in question. Once the capture event occurs, the 2nd instance of dumpcap could terminate, sleep for 1 minute, and then the remaining dumpcap instance could be killed. For example:


#!/bin/sh
echo "Starting capture instance ..."
dumpcap -i eth0 -f "TBD Capture Filter" -b duration:180 -b files:2 -w file.pcapng &
echo "Starting event instance ..."
dumpcap -i eth0 -f "TBD Event Capture Filter" -c 1
echo "Got event; sleeping for 60 seconds ..."
sleep 60
echo "Killing all dumpcap instances ..."
killall dumpcap
echo "Done."

When capturing has finished, you should be left with up to 2 files containing the last 6 minutes (maximum) of data. You can even add a mergecap command to the script to merge the 2 files together if you wish: mergecap -F pcapng file.pcapng file_*.pcapng.

And in case the 2nd dumpcap instance leaves behind its temporary capture file, you can clean that up as well if you wish, e.g., rm -f /tmp/wireshark*

capture network traffic on two different ports simultaneously

Problem solved it was actually very simple I should have tried it before ..

but thanks I got my idea just by looking at your answers.

I think it is the beauty of stackoverflow if we could find an exact answer , we can invent it through the discussion. ..

 $ tcpdump -X -s0 protochain 50 or 51