How can I capture network traffic of a single process?

networking wireshark
183,788

Solution 1

Indeed there is a way, using the Wireshark filters. But you cannot filter directly by process name or PID (because they are not a network quantities).

You should first figure out the protocols and the ports used by your process (the netstat command in the previous comment works well).

Then use Wireshark to filter the inbound (or outbound) port with the one you just retrieve. That should isolate the incoming and outcoming traffic of your process.

Solution 2

To start and monitor an new process:

strace -f -e trace=network -s 10000 PROCESS ARGUMENTS

To monitor an existing process with a known PID:

strace -p $PID -f -e trace=network -s 10000
  • -f is for "follow new processes"
  • -e defines a filter
  • -s sets the limit of strings to more then 32
  • -p takes the process id to attach to

Solution 3

I know this thread is a bit old but I think this might help some of you:

If your kernel allows it, capturing the network traffic of a single process is very easily done by running the said process in an isolated network namespace and using wireshark (or other standard networking tools) in the said namespace as well.

The setup might seem a bit complex, but once you understand it and become familiar with it, it will ease your work so much.

So as to do so:

  • create a test network namespace: 

    ip netns add test

  • create a pair of virtual network interfaces (veth-a and veth-b): 

    ip link add veth-a type veth peer name veth-b

  • change the active namespace of the veth-a interface:

    ip link set veth-a netns test

  • configure the IP addresses of the virtual interfaces:

    ip netns exec test ifconfig veth-a up 192.168.163.1 netmask 255.255.255.0
ifconfig veth-b up 192.168.163.254 netmask 255.255.255.0

  • configure the routing in the test namespace:

    ip netns exec test route add default gw 192.168.163.254 dev veth-a

  • activate ip_forward and establish a NAT rule to forward the traffic coming in from the namespace you created (you have to adjust the network interface and SNAT ip address):

    echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.163.0/24 -o <your internet interface, e.g. eth0> -j SNAT --to-source <your ip address>

    (You can also use the MASQUERADE rule if you prefer)

  • finally, you can run the process you want to analyze in the new namespace, and wireshark too:

    ip netns exec test thebinarytotest
ip netns exec test wireshark

    You'll have to monitor the veth-a interface.

Solution 4

netstat -taucp | grep <pid or process name>

That will show the connections an application is making including the port being used.

Solution 5

Just an idea: Is it possible to bind your application to a different IP address? If so, you can use the usual suspects (tcpdump, etc.)

Tools for applications which are not capable of binding to another IP address:

http://freshmeat.net/projects/fixsrcip

fixsrcip is a tool for binding outgoing TCP and UDP client sockets (IPv4) to specific source IP addresses on multi-homed hosts

http://freshmeat.net/projects/force_bind

force_bind allows you to force binding on a specific IP and/or port. It works with both IPv4 and IPv6.

Share:
183,788

Related videos on Youtube

Kees Cook
Author by

Kees Cook

Chrome OS Developer. Ubuntu Developer and Member of Technical Board. Debian Developer.

Updated on September 17, 2022

Comments

  • Kees Cook
    Kees Cook over 1 year

    I would like to examine the network traffic being handled by a single process, but simple network captures won't work since I am dealing with such a busy system (lots of other traffic happening at the same time). Is there a way to isolate a tcpdump or wireshark capture to the networking traffic of a single specific process? (Using netstat is insufficient.)

  • Kees Cook
    Kees Cook over 13 years
    This would show connections that exist for that instant, but it won't provide a log of the traffic itself.
  • Admin
    Admin over 13 years
    Unfortunately, iptables -m owner --pid-owner $PID was removed in Linux 2.6.14: ftp.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.14
  • Kees Cook
    Kees Cook over 13 years
    For a simple connection, this is possible, but I need to track DNS, HTTP, etc, that are all rushing past, so there isn't a simple way to just use netstat and simple network capture filters on a busy machine.
  • OpenNingia
    OpenNingia over 13 years
    Ok, HTTP and DNS public ports are used by a lot of application, but the corresponding private port is unique. So why don't you try filtering by the private port?
  • Kees Cook
    Kees Cook over 13 years
    Because rapid small requests won't be seen by netstat; I'll only be able to catch long-lived connections. :(
  • The Unix Janitor
    The Unix Janitor over 13 years
    what if the process uses dynamic ports at run time, then your not going to be able to uses static port filters
  • Huygens
    Huygens over 13 years
    I think you've here the best answer... Sadly a network sniffing tool works at the lowest level of the net stack, trying to catch everything, it's completely unaware of processes running on the OS. It'd be extremely difficult to find out what's originated a certain call. A packet sniffer could eventually figure out (via the port number) a process ID but cannot figure out which process did a DNS lookup as this is completely independent (that's most probably the kernel net stack that triggered the call). But with filtering and stoping other processes you should be able to achieve your goal.
  • Kees Cook
    Kees Cook over 13 years
    Most applications don't support specifying their source IP, but this actually might be possible by using a container with CLONE_NEWNET but not CLONE_NEWNS.
  • belacqua
    belacqua over 13 years
    Additionally, depending on your situation, you might be able to profile your network activity (through netstat (looped, piped and sorted), wireshark, etc.) before your target process goes, and compare it to the traffic snapshot while your process is running. Essentially you'll be subtracting the typical stuff, and looking for the aberrations (i.e., your process activity). Cumbersome, but doable under some circumstances.
  • Robin Green
    Robin Green almost 12 years
    This is useful because it can be used without having root access or special permissions (on some Linux distributions, anyway - on Ubuntu you may need special permissions).
  • tremendows
    tremendows over 10 years
    Not sure about the Kees Cook comment. A simple netstat shows info about connections for an instant, but with the flag -c you get a snapshot of that state every second (see 'man netstat'). Maybe it does not have all the traffic, but is not a unique snapshot of the connections.
  • Flint
    Flint almost 10 years
    Alternatively, you can create a network namespace and run your app inside it www.evolware.org/?p=293
  • gertvdijk
    gertvdijk over 9 years
    Nice project, but... "Tracedump currently runs on 32-bit Linux hosts only" kills it for me, unfortunately.
  • resultsway
    resultsway over 9 years
    but this works only for outgoing, what about incomming ?
  • Lekensteyn
    Lekensteyn about 9 years
    Great idea, but beware of the "limitations". Since this is a separate namespace, you cannot communicate with local processes in the default namespace using the loopback address(es) or UNIX domain sockets. The latter affects communication over D-Bus.
  • dannysauer
    dannysauer about 9 years
    Adding in an "-e trace=network" prunes down some of the output, at the expense of losing the data which is actually written to the network. If you only care about "number of sockets opened" or similar, this makes things easier.
  • zakmck
    zakmck over 8 years
    This is also useful, because it can be run against an already-launched process and is available on virtually any Linux box.
  • randunel
    randunel over 8 years
    @Lekensteyn you can still use unix domain sockets across network namespaces afaik. The file system is not isolated by them.
  • Lekensteyn
    Lekensteyn over 8 years
    @randunel I should have be more precise on that. What I meant to say is that Unix domain sockets in the "abstract socket namespace" (which does not use the filesystem) cannot directly be accessed between network namespaces. As a workaround, you can use a proxy such as socat.
  • Reinier Post
    Reinier Post almost 8 years
    Well, I'm sure. This will not capture all network traffic of a process.
  • Reinier Post
    Reinier Post almost 8 years
    Not good enough. The question is to capture all network traffic, not just whatever happens to be active at the times you happen to check.
  • Zanna
    Zanna almost 8 years
    That's cool, but I think it would be nice to include some more details for how to get it and use it :)
  • Jonas Danielsson
    Jonas Danielsson almost 8 years
    Thanks! I provided a link to the github repo which holds a README.md file which have usage and examples, and download instructions!
  • ntc2
    ntc2 over 7 years
    What IP address do you use with the --to-source argument to iptables? Is this the IP address of the interface you pass to the -o option, an IP address you make up, or ??? I tried the masquerade version that doesn't need --to-source, as described here, and that worked!
  • simplegamer
    simplegamer over 6 years
    All of this seems to require root access.
  • Frederick Nord
    Frederick Nord over 5 years
    It'd be so nice if someone made a script out of that. Like logpcap -- thebinarytotest or so.
  • Lupen
    Lupen over 5 years
    This was useful for figuring out which port number was being blocked by an internal firewall. It showed the TCP SYNs (along with destination address and port number) being sent by the command I was running.
  • Alexander Mills
    Alexander Mills about 4 years
    any way to monitor all processes owned by a non-root user?
  • Admin
    Admin about 2 years
    perverse use of old and new network tools together :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP Server sends [ACK] followed by [PSH,ACK]
How to decrypt https
How to see full HTTPS URL in wireShark
what does this wireshark info refer to
Can Wireshark be used to change the content of packets
How to enable Wireshark without running as root in Trusty 14.04
Windows 7 PC sends a lot of NetBIOS Name Queries for non-existent computer names
SSL (imap) doesn't work from some machines - ssl handshake failure - how to narrow down further?
TCP Dup ACK/Retransmission, bad configuration?
Simple http traffic monitor (capture by process)