PaulDotCom mailing list archives

Re: PCAP file "per-running-process"

From: Hans Kokx <skipmeister123 () gmail com>
Date: Tue, 12 Mar 2013 00:18:12 -0400

This sounded like an interesting challenge, so I whipped something together that seems to work.  Maybe it's what you're 
looking for, or maybe not.  

So, the idea I came up with is relatively simple: each process is going to open an ephemeral port to connect to the 
known port of the service.  Let's take, for example, a simple SOCKS5 proxy I've tossed together over SSH:

nohup ssh -D 8000 -C -N me () myhost com >/dev/null 2>&1 &

I typically use this everywhere that's not at home, and push ALL my traffic through it. Hey, security.

Anywho, on my mac, I was able to find the ephemeral port that it was using:

$ netstat -ntl|grep 192.168.1.5|grep 22
tcp4       0      0  192.168.1.156.61697    192.168.1.5.22         ESTABLISHED


Now we've got an ephemeral port to work with.  Some clever awk- and sed- foo and you can grab JUST that port.

Capturing the traffic is simple enough….

$ tcpdump src port 61697

So, we've got the traffic for this individual socket, but who does it belong to?

$ sudo lsof -i 4tcp:61697
Password:
COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ssh     17878 hkokx    3u  IPv4 0x225a0a58298b9315      0t0  TCP 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED)


There's your pid and process name.

This was fun. Thanks for the challenge. :)
--  
Hans Kokx


On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote:

I have been trying to figure out a way to "capture/filter" network
traffic per process, not per host/interface in a windows environment
"even though I'd be curious to know how that could be done in *n?x/OS
X" .
 
What I want to achieve is create a PCAP file for each process id that
was executed and communicated over the network.
 
help, please.
Thanks and regards,
 
Sherif.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com)
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)
  - Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
    - Re: PCAP file "per-running-process" allison nixon (Mar 12)
    - Re: PCAP file "per-running-process" Carlos Perez (Mar 12)
  - Re: PCAP file "per-running-process" Robin Wood (Mar 12)
    - Re: PCAP file "per-running-process" Hans Kokx (Mar 12)
    - Re: PCAP file "per-running-process" Jim Halfpenny (Mar 12)
    - Re: PCAP file "per-running-process" Sandro Gauci (Mar 12)
    - Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 13)
    - Re: PCAP file "per-running-process" allison nixon (Mar 13)
    - Re: PCAP file "per-running-process" Frank McClain (Mar 13)