Re: PCAP file "per-running-process"

[Hans Kokx <skipmeister123 () gmail com>]

> If you add the p parameter to netstat it gives you the process id associated with the connection.

In Linux, yeah. Mac doesn't support -p though. :(  

--  
Hans Kokx


On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote:

>  
> On Mar 12, 2013 4:20 AM, "Hans Kokx" <skipmeister123 () gmail com (mailto:skipmeister123 () gmail com)> wrote:
> > This sounded like an interesting challenge, so I whipped something together that seems to work.  Maybe it's what 
> > you're looking for, or maybe not.
> >
> > So, the idea I came up with is relatively simple: each process is going to open an ephemeral port to connect to the 
> > known port of the service.  Let's take, for example, a simple SOCKS5 proxy I've tossed together over SSH:
> >
> > nohup ssh -D 8000 -C -N me () myhost com (mailto:me () myhost com) >/dev/null 2>&1 &
> >
> > I typically use this everywhere that's not at home, and push ALL my traffic through it. Hey, security.
> >
> > Anywho, on my mac, I was able to find the ephemeral port that it was using:
> >
> > $ netstat -ntl|grep 192.168.1.5|grep 22
> > tcp4       0      0  192.168.1.156.61697    192.168.1.5.22         ESTABLISHED
> >
> > Now we've got an ephemeral port to work with.  Some clever awk- and sed- foo and you can grab JUST that port.
> >
> > Capturing the traffic is simple enough….
> >
> > $ tcpdump src port 61697
> >
> > So, we've got the traffic for this individual socket, but who does it belong to?
> >
> > $ sudo lsof -i 4tcp:61697
> > Password:
> > COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
> > ssh     17878 hkokx    3u  IPv4 0x225a0a58298b9315      0t0  TCP 192.168.1.156:61697->myhost.com 
> > (http://myhost.com):ssh (ESTABLISHED)
> >
> > There's your pid and process name.  
> If you add the p parameter to netstat it gives you the process id associated with the connection.
> Robin
> > This was fun. Thanks for the challenge. :)
> > --  
> > Hans Kokx
> >
> > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote:
> > > I have been trying to figure out a way to "capture/filter" network
> > > traffic per process, not per host/interface in a windows environment
> > > "even though I'd be curious to know how that could be done in *n?x/OS
> > > X" .
> > >
> > > What I want to achieve is create a PCAP file for each process id that
> > > was executed and communicated over the network.
> > >
> > > help, please.
> > > Thanks and regards,
> > >
> > > Sherif.
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com)
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com)
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com (mailto:Pauldotcom () mail pauldotcom com)
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>  
>  


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com