How can I capture network traffic of a single process?
Solution 1
Indeed there is a way, using the Wireshark filters. But you cannot filter directly by process name or PID (because they are not a network quantities).
You should first figure out the protocols and the ports used by your process (the netstat command in the previous comment works well).
Then use Wireshark to filter the inbound (or outbound) port with the one you just retrieve. That should isolate the incoming and outcoming traffic of your process.
Solution 2
To start and monitor an new process:
strace -f -e trace=network -s 10000 PROCESS ARGUMENTS
To monitor an existing process with a known PID:
strace -p $PID -f -e trace=network -s 10000
-
-f
is for "follow new processes" -
-e
defines a filter -
-s
sets the limit of strings to more then 32 -
-p
takes the process id to attach to
Solution 3
I know this thread is a bit old but I think this might help some of you:
If your kernel allows it, capturing the network traffic of a single process is very easily done by running the said process in an isolated network namespace and using wireshark (or other standard networking tools) in the said namespace as well.
The setup might seem a bit complex, but once you understand it and become familiar with it, it will ease your work so much.
So as to do so:
-
create a test network namespace:
ip netns add test
-
create a pair of virtual network interfaces (veth-a and veth-b):
ip link add veth-a type veth peer name veth-b
-
change the active namespace of the veth-a interface:
ip link set veth-a netns test
-
configure the IP addresses of the virtual interfaces:
ip netns exec test ifconfig veth-a up 192.168.163.1 netmask 255.255.255.0 ifconfig veth-b up 192.168.163.254 netmask 255.255.255.0
-
configure the routing in the test namespace:
ip netns exec test route add default gw 192.168.163.254 dev veth-a
-
activate ip_forward and establish a NAT rule to forward the traffic coming in from the namespace you created (you have to adjust the network interface and SNAT ip address):
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.163.0/24 -o <your internet interface, e.g. eth0> -j SNAT --to-source <your ip address>
(You can also use the MASQUERADE rule if you prefer)
-
finally, you can run the process you want to analyze in the new namespace, and wireshark too:
ip netns exec test thebinarytotest ip netns exec test wireshark
You'll have to monitor the veth-a interface.
Solution 4
netstat -taucp | grep <pid or process name>
That will show the connections an application is making including the port being used.
Solution 5
Just an idea: Is it possible to bind your application to a different IP address? If so, you can use the usual suspects (tcpdump, etc.)
Tools for applications which are not capable of binding to another IP address:
http://freshmeat.net/projects/fixsrcip
fixsrcip
is a tool for binding outgoing TCP and UDP client sockets (IPv4) to specific source IP addresses on multi-homed hosts
http://freshmeat.net/projects/force_bind
force_bind
allows you to force binding on a specific IP and/or port. It works with both IPv4 and IPv6.
Related videos on Youtube
Kees Cook
Chrome OS Developer. Ubuntu Developer and Member of Technical Board. Debian Developer.
Updated on September 17, 2022Comments
-
Kees Cook over 1 year
I would like to examine the network traffic being handled by a single process, but simple network captures won't work since I am dealing with such a busy system (lots of other traffic happening at the same time). Is there a way to isolate a
tcpdump
orwireshark
capture to the networking traffic of a single specific process? (Usingnetstat
is insufficient.) -
Kees Cook over 13 yearsThis would show connections that exist for that instant, but it won't provide a log of the traffic itself.
-
Admin over 13 yearsUnfortunately,
iptables -m owner --pid-owner $PID
was removed in Linux 2.6.14: ftp.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.14 -
Kees Cook over 13 yearsFor a simple connection, this is possible, but I need to track DNS, HTTP, etc, that are all rushing past, so there isn't a simple way to just use
netstat
and simple network capture filters on a busy machine. -
OpenNingia over 13 yearsOk, HTTP and DNS public ports are used by a lot of application, but the corresponding private port is unique. So why don't you try filtering by the private port?
-
Kees Cook over 13 yearsBecause rapid small requests won't be seen by
netstat
; I'll only be able to catch long-lived connections. :( -
The Unix Janitor over 13 yearswhat if the process uses dynamic ports at run time, then your not going to be able to uses static port filters
-
Huygens over 13 yearsI think you've here the best answer... Sadly a network sniffing tool works at the lowest level of the net stack, trying to catch everything, it's completely unaware of processes running on the OS. It'd be extremely difficult to find out what's originated a certain call. A packet sniffer could eventually figure out (via the port number) a process ID but cannot figure out which process did a DNS lookup as this is completely independent (that's most probably the kernel net stack that triggered the call). But with filtering and stoping other processes you should be able to achieve your goal.
-
Kees Cook over 13 yearsMost applications don't support specifying their source IP, but this actually might be possible by using a container with CLONE_NEWNET but not CLONE_NEWNS.
-
belacqua over 13 yearsAdditionally, depending on your situation, you might be able to profile your network activity (through netstat (looped, piped and sorted), wireshark, etc.) before your target process goes, and compare it to the traffic snapshot while your process is running. Essentially you'll be subtracting the typical stuff, and looking for the aberrations (i.e., your process activity). Cumbersome, but doable under some circumstances.
-
Robin Green almost 12 yearsThis is useful because it can be used without having root access or special permissions (on some Linux distributions, anyway - on Ubuntu you may need special permissions).
-
tremendows over 10 yearsNot sure about the Kees Cook comment. A simple netstat shows info about connections for an instant, but with the flag -c you get a snapshot of that state every second (see 'man netstat'). Maybe it does not have all the traffic, but is not a unique snapshot of the connections.
-
Flint almost 10 yearsAlternatively, you can create a network namespace and run your app inside it www.evolware.org/?p=293
-
gertvdijk over 9 yearsNice project, but... "Tracedump currently runs on 32-bit Linux hosts only" kills it for me, unfortunately.
-
resultsway over 9 yearsbut this works only for outgoing, what about incomming ?
-
Lekensteyn about 9 yearsGreat idea, but beware of the "limitations". Since this is a separate namespace, you cannot communicate with local processes in the default namespace using the loopback address(es) or UNIX domain sockets. The latter affects communication over D-Bus.
-
dannysauer about 9 yearsAdding in an "-e trace=network" prunes down some of the output, at the expense of losing the data which is actually written to the network. If you only care about "number of sockets opened" or similar, this makes things easier.
-
zakmck over 8 yearsThis is also useful, because it can be run against an already-launched process and is available on virtually any Linux box.
-
randunel over 8 years@Lekensteyn you can still use unix domain sockets across network namespaces afaik. The file system is not isolated by them.
-
Lekensteyn over 8 years@randunel I should have be more precise on that. What I meant to say is that Unix domain sockets in the "abstract socket namespace" (which does not use the filesystem) cannot directly be accessed between network namespaces. As a workaround, you can use a proxy such as
socat
. -
Reinier Post almost 8 yearsWell, I'm sure. This will not capture all network traffic of a process.
-
Reinier Post almost 8 yearsNot good enough. The question is to capture all network traffic, not just whatever happens to be active at the times you happen to check.
-
Zanna almost 8 yearsThat's cool, but I think it would be nice to include some more details for how to get it and use it :)
-
Jonas Danielsson almost 8 yearsThanks! I provided a link to the github repo which holds a README.md file which have usage and examples, and download instructions!
-
ntc2 over 7 yearsWhat IP address do you use with the
--to-source
argument toiptables
? Is this the IP address of the interface you pass to the-o
option, an IP address you make up, or ??? I tried the masquerade version that doesn't need--to-source
, as described here, and that worked! -
simplegamer over 6 yearsAll of this seems to require root access.
-
Frederick Nord over 5 yearsIt'd be so nice if someone made a script out of that. Like
logpcap -- thebinarytotest
or so. -
Lupen over 5 yearsThis was useful for figuring out which port number was being blocked by an internal firewall. It showed the TCP SYNs (along with destination address and port number) being sent by the command I was running.
-
Alexander Mills about 4 yearsany way to monitor all processes owned by a non-root user?
-
Admin about 2 yearsperverse use of old and new network tools together :)