tcpdump mailing list archives

Re: bandwidth by user or process id

From: Patrick Kurz <kurzpatrick () ymail com>
Date: Mon, 4 Oct 2010 07:53:37 -0700 (PDT)

Thanks a lot for this detailed answer! I'll check if the dbus service does not 
add too much overhead. Then I could use your Sentry project instead.

One more question: which part of a line from /proc/net/tcp like the following 
has a unique counterpart in the packet captured with pcap?

sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  
timeout inode ref pointer drops
49: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000     
0        0 6703 2 ffff880123d0c000 0


Is it the "sl" hash slot? Where do I find the equivalent in the captured 
packets? local_address  and rem_address are not unique, or did I miss something?

Thanks
Patrick



________________________________
From: Rob Hasselbaum <rob () hasselbaum net>
To: tcpdump-workers () lists tcpdump org
Sent: Mon, October 4, 2010 3:51:39 PM
Subject: Re: [tcpdump-workers] bandwidth by user or process id

On Mon, Oct 4, 2010 at 8:49 AM, Patrick Kurz <kurzpatrick () ymail com> wrote:

Dear all,
I am looking for a solution to monitor bandwidth usage
a) broken up by source and destination ip address
b) broken up by either user or process (pid) which is causing the bandwidth

Yes, it is possible (on Linux, anyway), but not extremely easy. You can
correlate packet data to the kernel's network connection table and network
connections to inode values by reading "/proc/net/tcp*" and
"/proc/net/udp*". Then you can correlate the inodes to file descriptor
entries and get the owning process and user by iterating through the file
descriptor table of each process via "/proc/*/fd".

This is exactly what my project Socket Sentry does. It's a KDE Plasma widget
that displays current network traffic by user, process, etc. And for
developers and non-KDE users, it offers a service that can be accessed
through a DBUS interface to get the same data. There's a rudimentary command
line interface, as well, but it is mainly for testing at this point. The
project page is here:

http://code.google.com/p/socket-sentry/

You may wish to look at the ConnectionProcessCorrelator class in particular,
which implements the logic I'm talking about:

http://code.google.com/p/socket-sentry/source/browse/socketsentry-service/src/ConnectionProcessCorrelator.cpp


Good luck.
-Rob
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.



      -
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

bandwidth by user or process id Patrick Kurz (Oct 04)
- Re: bandwidth by user or process id Rob Hasselbaum (Oct 04)
  - Re: bandwidth by user or process id Patrick Kurz (Oct 04)
    - Re: bandwidth by user or process id Rob Hasselbaum (Oct 04)
    - Re: bandwidth by user or process id Rob Hasselbaum (Oct 04)
    - Re: bandwidth by user or process id Patrick Kurz (Oct 05)
    - Re: bandwidth by user or process id Gert Doering (Oct 05)
    - Re: bandwidth by user or process id Rob Hasselbaum (Oct 05)
    - Re: bandwidth by user or process id Patrick Kurz (Oct 06)
    - Re: bandwidth by user or process id Gert Doering (Oct 06)
  - Re: bandwidth by user or process id Phil Vandry (Oct 05)
    - Re: bandwidth by user or process id Gerald Combs (Oct 05)
    - Re: bandwidth by user or process id Patrick Kurz (Oct 06)

(Thread continues...)