PaulDotCom mailing list archives
Re: PCAP file "per-running-process"
From: Jim Halfpenny <jim.halfpenny () gmail com>
Date: Tue, 12 Mar 2013 13:28:13 +0000
Hi, Slightly off topic but a useful feature of iptables on Linux is the ability to filter traffic by user. The link below gives an example of how to block traffic for a particular user. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html Another great option is --tee which can copy traffic based on whatever rules you apply. http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ So if you wanted to record on a per-user basis on Linux (useful for service/daemon users) you could user ipt_user and tee functions to mirror that traffic and tcpdump it out there or just use ipt_user to log flows. Not entirely relevant but I hope it's useful. Regards, Jim On 12 March 2013 11:54, Hans Kokx <skipmeister123 () gmail com> wrote:
If you add the p parameter to netstat it gives you the process idassociated with the connection. In Linux, yeah. Mac doesn't support -p though. :( -- Hans Kokx On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote: On Mar 12, 2013 4:20 AM, "Hans Kokx" <skipmeister123 () gmail com> wrote:This sounded like an interesting challenge, so I whipped somethingtogether that seems to work. Maybe it's what you're looking for, or maybe not.So, the idea I came up with is relatively simple: each process is goingto open an ephemeral port to connect to the known port of the service. Let's take, for example, a simple SOCKS5 proxy I've tossed together over SSH:nohup ssh -D 8000 -C -N me () myhost com >/dev/null 2>&1 & I typically use this everywhere that's not at home, and push ALL mytraffic through it. Hey, security.Anywho, on my mac, I was able to find the ephemeral port that it wasusing:$ netstat -ntl|grep 192.168.1.5|grep 22 tcp4 0 0 192.168.1.156.61697 192.168.1.5.22ESTABLISHEDNow we've got an ephemeral port to work with. Some clever awk- and sed-foo and you can grab JUST that port.Capturing the traffic is simple enough…. $ tcpdump src port 61697 So, we've got the traffic for this individual socket, but who does itbelong to?$ sudo lsof -i 4tcp:61697 Password: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP192.168.1.156:61697->myhost.com:ssh (ESTABLISHED)There's your pid and process name.If you add the p parameter to netstat it gives you the process id associated with the connection. RobinThis was fun. Thanks for the challenge. :) -- Hans Kokx On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote:I have been trying to figure out a way to "capture/filter" network traffic per process, not per host/interface in a windows environment "even though I'd be curious to know how that could be done in *n?x/OS X" . What I want to achieve is create a PCAP file for each process id that was executed and communicated over the network. help, please. Thanks and regards, Sherif. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" allison nixon (Mar 12)
- Re: PCAP file "per-running-process" Carlos Perez (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Robin Wood (Mar 12)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 12)
- Re: PCAP file "per-running-process" Jim Halfpenny (Mar 12)
- Re: PCAP file "per-running-process" Sandro Gauci (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 13)
- Re: PCAP file "per-running-process" allison nixon (Mar 13)
- Re: PCAP file "per-running-process" Frank McClain (Mar 13)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)