fix: DNS and Hosts network tables support multiple process attributions#3021
Conversation
When multiple processes query the same hostname or connect to the same IP, the network tables previously showed only one process badge. Renders one badge per attributed process in both Network tab and Overview tab. - _dns.html / _dns_not_ajax.html: iterate p.processes list for the Process Name (PID) cell; fall back to legacy single-field render. - _hosts_not_ajax.html: sync multi-process badge iteration to match the AJAX version.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the network analysis templates to support displaying multiple processes per entry using badges and improves the visual consistency of empty fields. Feedback was provided regarding the logic for constructing the tooltip title in the hosts template, which could result in leading separators or ambiguous port displays when certain process attributes are missing.
| {% if host.processes %} | ||
| {% for p in host.processes %} | ||
| <span class="badge bg-warning text-dark" | ||
| title="{% if p.source %}source: {{p.source}}{% endif %}{% if p.resolved_hostname %} | resolved via {{p.resolved_hostname}}{% endif %}{% if p.protocol %} | {{p.protocol}}{% endif %}{% if p.dst_port %}:{{p.dst_port}}{% endif %}"> |
There was a problem hiding this comment.
The logic for constructing the title attribute has a couple of issues that can lead to a confusing tooltip:
- If the first attribute (
p.source) is not present, but a subsequent one is (e.g.,p.resolved_hostname), the title will start with a|separator, like| resolved via example.com. - If
p.protocolis not present butp.dst_portis, the port will be appended to the preceding text without a space or context, which could be misleading (e.g.,source: behavior:8080).
The suggested change ensures that separators are only placed between elements and that the port is always displayed with its protocol.
{% spaceless %}title="{% if p.source %}source: {{ p.source }}{% endif %}{% if p.resolved_hostname %}{% if p.source %} | {% endif %}resolved via {{ p.resolved_hostname }}{% endif %}{% if p.protocol %}{% if p.source or p.resolved_hostname %} | {% endif %}{{ p.protocol }}{% if p.dst_port %}:{{ p.dst_port }}{% endif %}{% endif %}"{% endspaceless %}
There was a problem hiding this comment.
Pull request overview
Updates CAPEv2’s analysis UI templates so DNS and Hosts network tables can display multiple process attributions per row (while preserving a fallback for older analyses that only have process_name / process_id).
Changes:
- Render one badge per attributed process when
processesis present on DNS/Hosts records. - Keep legacy single-attribution rendering as a fallback when
processesis absent. - Normalize “missing value” rendering for ASN and process columns using a muted
-.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
web/templates/analysis/network/_hosts_not_ajax.html |
Align non-AJAX Hosts table with the multi-process badge rendering used elsewhere; improve empty ASN/process display. |
web/templates/analysis/network/_dns.html |
Add multi-process badge iteration for DNS rows with legacy fallback. |
web/templates/analysis/network/_dns_not_ajax.html |
Mirror the DNS multi-process badge rendering for non-AJAX views with legacy fallback. |
Refactor title attribute in badge span for better readability.
Summary
When multiple processes query the same hostname or connect to the same IP (e.g. both
javaw.exeandpython.exeresolvepypi.org), the DNS and Hosts tables previously showed only the first attributed process. This PR renders one badge per attributed process.Companion to the
network_etwmodule changes whereProcessFlowIndex._dns_host_to_pidwas changed from a single-value dict to a list, andfor_host_all()was added to return all attributions. DNS records now include aprocesseslist field alongside the legacyprocess_name/process_idfields.Changes
_dns.html/_dns_not_ajax.html: Iteratep.processesfor the Process Name (PID) column; fall back to legacy single-field render for analyses that predate this change._hosts_not_ajax.html: Sync multi-process badge iteration to match the AJAX version (which already supported it).Test plan
p.processes🤖 Generated with Claude Code