How to trace networking activity of a command?

linux networking tcpdump strace wireshark
45,898

Solution 1

netstat for simplicity

Using netstat and grepping on the PID or process name:

# netstat -np --inet | grep "thunderbird"
tcp        0      0 192.168.134.142:45348   192.168.138.30:143      ESTABLISHED 16875/thunderbird
tcp        0      0 192.168.134.142:58470   192.168.138.30:443      ESTABLISHED 16875/thunderbird

And you could use watch for dynamic updates:

watch 'netstat -np --inet | grep "thunderbird"'

With:

  • -n: Show numerical addresses instead of trying to determine symbolic host, port or user names
  • -p: Show the PID and name of the program to which each socket belongs.
  • --inet: Only show raw, udp and tcp protocol sockets.

strace for verbosity

You said you tried the strace tool, but did you try the option trace=network? Note that the output can be quite verbose, so you might need some grepping. You could start by grepping on "sin_addr".

 strace -f -e trace=network <your command> 2>&1 | grep sin_addr

Or, for an already running process, use the PID:

 strace -f -e trace=network -p <PID> 2>&1 | grep sin_addr

Solution 2

sysdig allows you to monitor all the activity of the kernel or of several commands running in your system in a go, including and not restricted to network activity.

As the output can be large, you have to build filters, the default page for the most basic filters is quite comprehensible.

It also has the advantage it is not used as an application wrapper as in strace, and it can be quite powerful.

From Sysdig Examples

Networking

See the top processes in terms of network bandwidth usage

sysdig -c topprocs_net

Show the network data exchanged with the host 192.168.0.1

As binary:

sysdig -s2000 -X -c echo_fds fd.cip=192.168.0.1

As ASCII:

sysdig -s2000 -A -c echo_fds fd.cip=192.168.0.1

See the top local server ports:

In terms of established connections:

sysdig -c fdcount_by fd.sport "evt.type=accept"

In terms of total bytes:

sysdig -c fdbytes_by fd.sport

See the top client IPs

In terms of established connections

sysdig -c fdcount_by fd.cip "evt.type=accept"

In terms of total bytes

sysdig -c fdbytes_by fd.cip

List all the incoming connections that are not served by apache.

sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"

Solution 3

I'd create a new network namespace, bridge it over to the real network, and then monitor the bridge with tcpdump.

Solution 4

You could use wireshark to sniff all the the input and output traffic of a network interface. In case you need an option without GUI you could use tshark.

With both option you can see all the network traffic and save it to later analyze all the connections established.

Share:
45,898
Buvanesh Kumar
Author by

Buvanesh Kumar

Updated on September 18, 2022

Comments

  • Buvanesh Kumar
    Buvanesh Kumar over 1 year

    I want to trace the networking activity of a command, I tried tcpdump and strace without success.

    For an example, If I am installing a package or using any command that tries to reach some site, I want to view that networking activity (the site it tries to reach).

    I guess we can do this by using tcpdump. I tried but it is tracking all the networking activity of my system. Let's say if I run multiple networking related commmands and I want to track only particular command networking activity, that time it is difficult to find out the exact solution.

    Is there a way to do that?

    UPDATE:

    I don't want to track everything that goes on my network interface. I just want to track the command (for an example #yum install -y vim) networking activity. Such as the site it tries to reach.

    • dirkt
      dirkt almost 7 years
      Put the application in a network namespace, then use tcpdump/wireshark. See e.g. here.
  • Buvanesh Kumar
    Buvanesh Kumar almost 7 years
    As I said earlier, If I run multiple networking related commands, then how can I know which command is getting which site?
  • Buvanesh Kumar
    Buvanesh Kumar almost 7 years
    This is a more generic answer. That I already know that we can track networking activity of a networking interface :). I'm looking for tracking a particular command network statics.
  • Ricard Molins
    Ricard Molins almost 7 years
    If you know which ports the command use you may be able to filter the sniff to limit it to the command you want. However this may be not doable in you situation.
  • dr_
    dr_ almost 7 years
    +1 for netstat which is IMHO the simplest and neatest solution.
  • Buvanesh Kumar
    Buvanesh Kumar almost 7 years
    @Gohu I did the same for dnf. but no luck. I tried installing some packages using dnf, then I see that the dnf process is running (process name: dnf according to top and ps aux command). Sadly, I didn't get any output from netstat -np --inet | grep "dnf".
  • Buvanesh Kumar
    Buvanesh Kumar almost 7 years
    +1 for strace. It is resolved my issue. I can able to get the IP addresses. Thank you so much for your answer :) @Gohu. I guess it is giving all the IP addresses that it reaches over the network (e.g. router IP and other IPs). If you know, is it possible to track only destination IP?
  • Gohu
    Gohu almost 7 years
    You can try and filter the strace output some more, only keeping connect syscalls and removing dns requests (port 53) with: | grep connect | grep -v 'sin_port=htons(53)'
  • Buvanesh Kumar
    Buvanesh Kumar almost 7 years
    thanks for the answer. It would be great if you tell me how to :).
  • phreed
    phreed almost 5 years
    +1 for the trace-network option on strace
  • ks1322
    ks1322 almost 4 years
    There are examples of how to setup network namespaces in another question unix.stackexchange.com/q/210982/87918

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

tcpdump read both ipv4 and ipv6 packets from pcap
Using tcpdump to find strings
How to use Linux to capture packets on eth0 and send everything to eth1?
What program sent which packet to the network
What does a sequence of retransmissions with PSH,ACK flags mean (and a spurious retransmission back)?
TCP Server sends [ACK] followed by [PSH,ACK]
tcpdump error: no suitable device found in Linux
Capture only TCP SYN-ACK packets with tcpdump
Check for packets MARKed by iptables
how to decrypt SSH packets captured on Wireshark tool on a SUSE Linux box