How can I capture network traffic of a single process?

I would like to examine the network traffic being handled by a single process, but simple network captures won’t work since I am dealing with such a busy system (lots of other traffic happening at the same time). Is there a way to isolate a tcpdump or wireshark capture to the networking traffic of a single specific process? (Using netstat is insufficient.)

Asked By: Kees Cook

||
Source

maybe iptables and ulog can work?
Not that I have an exact recipe, but I think iptables can match processes, once matched you could use ulog.

Answered By: chesty
netstat -taucp | grep <pid or process name>

That will show the connections an application is making including the port being used.

Answered By: Oli

Indeed there is a way, using the Wireshark filters. But you cannot filter directly by process name or PID (because they are not a network quantities).

You should first figure out the protocols and the ports used by your process
(the netstat command in the previous comment works well).

Then use Wireshark to filter the inbound (or outbound) port with the one you just retrieve. That should isolate the incoming and outcoming traffic of your process.

Answered By: OpenNingia

I think you can create a shell script to loop through executing netstat and logging it to a text file. Something like (very rough steps):

echo "press q to quit"
while [ <q is not pressed>]
do
    `netstat -taucp | grep <pid or process name> 1>>logfile.txt`
done

I am not a programmer, so I can’t refine this. But someone here can start from where I left off and create a working script for you.

Answered By: tinhed

Try running the process you’re interested in under strace:

strace ping www.askubuntu.com

It will give you some very detailed information about what your process is doing. As a process can open up any ports it wants to anywhere, using a predefined filter you may miss something.

Another approach would be to use a stripped-down virtual machine or a test machine on your network, and place your process on it in isolation on this. Then you can just use Wireshark to catch all from that machine. You’ll be pretty sure that the traffic you capture will be relevant.

Answered By: The Unix Janitor

To start and monitor an new process:

strace -f -e trace=network -s 10000 PROCESS ARGUMENTS

To monitor an existing process with a known PID:

strace -p $PID -f -e trace=network -s 10000
  • -f is for “follow new processes”
  • -e defines a filter
  • -s sets the limit of strings to more then 32
  • -p takes the process id to attach to
Answered By: Clausi

Just an idea: Is it possible to bind your application to a different IP address? If so, you can use the usual suspects (tcpdump, etc.)

Tools for applications which are not capable of binding to another IP address:

http://freshmeat.net/projects/fixsrcip

fixsrcip is a tool for binding outgoing TCP and UDP client sockets (IPv4) to specific source IP addresses on multi-homed hosts

http://freshmeat.net/projects/force_bind

force_bind allows you to force binding on a specific IP and/or port. It works with both IPv4 and IPv6.

Answered By: Clausi

This is a dirty hack but I’d suggest either a divert or a log target with iptables for a given UID. eg:

iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $USER -m tcp -j LOG 
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $USER -m udp -j LOG

It might also be worth looking into something like ‘–log-tcp-sequence’, ‘–log-tcp-options’, ‘–log-ip-options’, ‘–log-uid’ for that log target. Though I suspect that will only help you post process a pcap that includes a ton of other data.

The NFLOG target might be useful if you want to flag packets and then certain tagged packets will be sent over a netlink socket to a process of your choosing. I wonder if that would be useful for hacking up something with wireshark and your specific application running as a specific user?

Answered By: ioerror

Building on the answer by ioerror I suspect you can use iptables --uid-owner to set a marker on the traffic, and then you can ask wireshark to capture only traffic with that marker. You might be able to use a DSCP (differential services marker), flow id or a qos marker.

Or indeed you could use this to send those packets out a different interface, and then capture only on that interface.

Answered By: poolie

You can try tracedump – http://mutrics.iitis.pl/tracedump

It does exactly what you want, you can either give it a process ID or a program to run.

Answered By: pjf

I have come to a similar issue and I was able to sort it out based on this answer by ioerror, using NFLOG as described here:

# iptables -A OUTPUT -m owner --uid-owner 1000 -j CONNMARK --set-mark 1
# iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30 
# dumpcap -i nflog:30 -w uid-1000.pcap

Then you can create run the process in question from a user account that doesn’t do anything else – and voila, you have just isolated and captured traffic from a single process.

Just wanted to post back in case it helps anyone.

Answered By: szymon

I know this thread is a bit old but I think this might help some of you:

If your kernel allows it, capturing the network traffic of a single process is very easily done by running the said process in an isolated network namespace and using wireshark (or other standard networking tools) in the said namespace as well.

The setup might seem a bit complex, but once you understand it and become familiar with it, it will ease your work so much.

So as to do so:

  • create a test network namespace: 

    ip netns add test

  • create a pair of virtual network interfaces (veth-a and veth-b): 

    ip link add veth-a type veth peer name veth-b

  • change the active namespace of the veth-a interface:

    ip link set veth-a netns test

  • configure the IP addresses of the virtual interfaces:

    ip netns exec test ifconfig veth-a up 192.168.163.1 netmask 255.255.255.0
ifconfig veth-b up 192.168.163.254 netmask 255.255.255.0

  • configure the routing in the test namespace:

    ip netns exec test route add default gw 192.168.163.254 dev veth-a

  • activate ip_forward and establish a NAT rule to forward the traffic coming in from the namespace you created (you have to adjust the network interface and SNAT ip address):

    echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.163.0/24 -o <your internet interface, e.g. eth0> -j SNAT --to-source <your ip address>

    (You can also use the MASQUERADE rule if you prefer)

  • finally, you can run the process you want to analyze in the new namespace, and wireshark too:

    ip netns exec test thebinarytotest
ip netns exec test wireshark

    You’ll have to monitor the veth-a interface.

Answered By: felahdab

wireshark bug #1184 is this feature. It was reported in year 2006 and is not implemented as of year 2019.

Answered By: JamesThomasMoon

I wrote a C application that does what is described in the great answer above by felahdab!

See here: nsntrace github repo

Answered By: Jonas Danielsson

As a supplement to @felahdab’s answer, I have written a shell script tool called runnet, which can easily create a network namespace to run specific programs. You can found it here: https://github.com/KB5201314/runnet.

just run

sudo runnet --internet <your cmd>

this will create a separate network namespace.

Then, you can see a interface like runnetxxxxx_vo on your wireshark. You canstart listening on it.

screenshot of wireshark interface list

You can even use the --internet option to control whether to forward traffic to the external network. You can also control which ports are mapped to the host, this is achieved with the power of socat.

Answered By: imlk
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.