Re: viewing traffic of a process

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

Michael Welzl wrote:
> How do I view all the traffic from a specific process?
> A process may open and close sockets, change port numbers
> etc. ... is there a way to track all this automatically so that, e.g., I
> only see traffic originating from my email client or received by
> my web browser?

You're better off using the native syscall trace mechanism. E.g. under Linux, 
use "strace -e trace=socket,bind,connect,read,write -f command-and-args". You'll 
get a lot of unrelated output, but what you're looking for should be in there.

Or if you really want the output in pcap format, you could write a shared 
library to redefine connect(2), bind(2), and close(2) and LD_PRELOAD it. The 
shared library can do the underlying call and then start tcpdump with args 
derived from the provided data structure for connect() and bind(), and kill 
tcpdump for close(). You'll have to play games with dlopen, dlsym, etc, and keep 
track of which descriptors you are running tcpdump on.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe