How to trace networking activity of a command?
Solution 1
netstat for simplicity
Using netstat
and grepping on the PID or process name:
# netstat -np --inet | grep "thunderbird"
tcp 0 0 192.168.134.142:45348 192.168.138.30:143 ESTABLISHED 16875/thunderbird
tcp 0 0 192.168.134.142:58470 192.168.138.30:443 ESTABLISHED 16875/thunderbird
And you could use watch
for dynamic updates:
watch 'netstat -np --inet | grep "thunderbird"'
With:
-
-n
: Show numerical addresses instead of trying to determine symbolic host, port or user names -
-p
: Show the PID and name of the program to which each socket belongs. -
--inet
: Only show raw, udp and tcp protocol sockets.
strace for verbosity
You said you tried the strace
tool, but did you try the option trace=network
?
Note that the output can be quite verbose, so you might need some grepping. You could start by grepping on "sin_addr".
strace -f -e trace=network <your command> 2>&1 | grep sin_addr
Or, for an already running process, use the PID:
strace -f -e trace=network -p <PID> 2>&1 | grep sin_addr
Solution 2
sysdig
allows you to monitor all the activity of the kernel or of several commands running in your system in a go, including and not restricted to network activity.
As the output can be large, you have to build filters, the default page for the most basic filters is quite comprehensible.
It also has the advantage it is not used as an application wrapper as in strace
, and it can be quite powerful.
From Sysdig Examples
Networking
See the top processes in terms of network bandwidth usage
sysdig -c topprocs_net
Show the network data exchanged with the host 192.168.0.1
As binary:
sysdig -s2000 -X -c echo_fds fd.cip=192.168.0.1
As ASCII:
sysdig -s2000 -A -c echo_fds fd.cip=192.168.0.1
See the top local server ports:
In terms of established connections:
sysdig -c fdcount_by fd.sport "evt.type=accept"
In terms of total bytes:
sysdig -c fdbytes_by fd.sport
See the top client IPs
In terms of established connections
sysdig -c fdcount_by fd.cip "evt.type=accept"
In terms of total bytes
sysdig -c fdbytes_by fd.cip
List all the incoming connections that are not served by apache.
sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"
Solution 3
I'd create a new network namespace, bridge it over to the real network, and then monitor the bridge with tcpdump
.
Solution 4
You could use wireshark to sniff all the the input and output traffic of a network interface. In case you need an option without GUI you could use tshark.
With both option you can see all the network traffic and save it to later analyze all the connections established.
Buvanesh Kumar
Updated on September 18, 2022Comments
-
Buvanesh Kumar over 1 year
I want to trace the networking activity of a command, I tried tcpdump and strace without success.
For an example, If I am installing a package or using any command that tries to reach some site, I want to view that networking activity (the site it tries to reach).
I guess we can do this by using tcpdump. I tried but it is tracking all the networking activity of my system. Let's say if I run multiple networking related commmands and I want to track only particular command networking activity, that time it is difficult to find out the exact solution.
Is there a way to do that?
UPDATE:
I don't want to track everything that goes on my network interface. I just want to track the command (for an example #yum install -y vim) networking activity. Such as the site it tries to reach.
-
dirkt almost 7 yearsPut the application in a network namespace, then use tcpdump/wireshark. See e.g. here.
-
-
Buvanesh Kumar almost 7 yearsAs I said earlier, If I run multiple networking related commands, then how can I know which command is getting which site?
-
Buvanesh Kumar almost 7 yearsThis is a more generic answer. That I already know that we can track networking activity of a networking interface :). I'm looking for tracking a particular command network statics.
-
Ricard Molins almost 7 yearsIf you know which ports the command use you may be able to filter the sniff to limit it to the command you want. However this may be not doable in you situation.
-
dr_ almost 7 years+1 for
netstat
which is IMHO the simplest and neatest solution. -
Buvanesh Kumar almost 7 years@Gohu I did the same for dnf. but no luck. I tried installing some packages using dnf, then I see that the dnf process is running (process name: dnf according to top and ps aux command). Sadly, I didn't get any output from netstat -np --inet | grep "dnf".
-
Buvanesh Kumar almost 7 years+1 for strace. It is resolved my issue. I can able to get the IP addresses. Thank you so much for your answer :) @Gohu. I guess it is giving all the IP addresses that it reaches over the network (e.g. router IP and other IPs). If you know, is it possible to track only destination IP?
-
Gohu almost 7 yearsYou can try and filter the
strace
output some more, only keepingconnect
syscalls and removingdns
requests (port 53) with:| grep connect | grep -v 'sin_port=htons(53)'
-
Buvanesh Kumar almost 7 yearsthanks for the answer. It would be great if you tell me how to :).
-
phreed almost 5 years+1 for the trace-network option on strace
-
ks1322 almost 4 yearsThere are examples of how to setup network namespaces in another question unix.stackexchange.com/q/210982/87918