How can I capture network packets per PID?

Question

Anyone know an easy way to ask Linux to "display every internet packet to/from google chrome" or "display every internet packet to/from telnet process with PID 10275"?

The telnet example is not too useful, since I can just use wireshark or tcpdump to see all TCP conversations involving port 23. That and nobody uses telnet anymore. But sniffing all packets to/from complex applications which use many ports seems like a useful thing.

I found some related answers exploring different ways to corroborate ports and PIDs (or programs names) and such, but nothing about packets

• How to tie a network connection to a PID without using lsof or netstat?
• How I can get ports associated to the application that opened them?
• How to do like "netstat -p", but faster?

Looks like someone might have been willing to pay for this answer a while back:

• http://www.freelancer.com/projects/Perl-CGI-C-C/tcpdump-PID-relation.html

NetHogs is useful for quickly seeing what programs are creating traffic over an interface, but it doesn't have a way to capture packets.

Answer 1

Not directly a tcpdump, but can give you info about the network traffic, check https://bytefreaks.net/gnulinux/how-to-capture-all-network-traffic-of-a-single-process

strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;

If the process is already started and you know its PID you can use the following 1

strace -f -e trace=network -s 10000 -p <PID>;

Another alternative is more complex, using network namespaces, check the above link or use the tool nsntrace, but either can only work on new process, you can not change existent process network namespaces (AFAIK)

UPDATE: you can also install the tool bpfcc-tools (search for your distro, many have it included already) and use the command sudo tcptracer-bpfcc -v -p (PID) While this will not show the packets, it will list network connections for that pid. You can remove the -p (PID) to list all connections per process. This may be useful for those tracking short live connections, not the network payload.

Answer 2

In my case I wanted to capture syslog traffic but only from rsyslog. It only had one listening port under lsof -p $(pidof rsyslog) and always used that as the source port, so I was able to get the packets using:

tcpdump -i eth0 -A "host 10.0.0.100 and dst port 514 and src port $(lsof -i 4 -a -p `pidof rsyslogd` | grep -Po '(?<=\*:)[0-9]*') and udp"

The grep uses a positive lookbehind assertion to turn the *:portnumber into just the port number.

Answer 3

I would use lsof -i to get the port numbers associated with the application I want. The code would be like this:

process=firefox
for _port in `lsof -i | grep $process | cut -d' ' -f18 | cut -d: -f2 | cut -d'-' -f1`
do
    port=$_port
    [[ "$_port" == +([a-zA-Z]) ]] && port=`cat /etc/services  | grep '^$_port' | cut -d' ' -f12 | cut -d'/' -f1 | uniq | head -n 1`

    echo "tcpdump -w ${port}.pcap port $port &"
    tcpdump -w ${port}.pcap port $port &
done

Note that the output of the commands might be different on different versions/distributions. Therefore, you'd better check the right fileds are cut before using the script.

Also, this script does not monitor the ports that are opened later. For that, I would consider a more complicated script that checks ports regularly (using something like watch)

And remember to kill all of the tcpdump processes afterwards.

Answer 4

Tcpdump can tell you the PID/process a packet comes from/to.
Throw '-k NP' in your options.

Version supported: tcpdump version 4.3.0 -- Apple version 56