tcpdump mailing list archives
Re: bandwidth by user or process id
From: Rob Hasselbaum <rob () hasselbaum net>
Date: Mon, 4 Oct 2010 16:35:02 -0400
On Mon, Oct 4, 2010 at 10:53 AM, Patrick Kurz <kurzpatrick () ymail com> wrote:
One more question: which part of a line from /proc/net/tcp like the following has a unique counterpart in the packet captured with pcap?sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmtuidtimeout inode ref pointer drops 49: 00000000:0044 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 6703 2 ffff880123d0c000 0
For typical point-to-point IP traffic, the combination of local address, local port, remote address, remote port, and transport protocol (TCP or UDP) is the closest thing you have to a unique key. To get those fields out of the raw packet data, you have to implement some decoding of the packets. Socket Sentry does this based loosely on code from tcpdump. (See DataLinkPacketDecoder and its subclasses as well as the InternetProtocolDecoder class.) Alternatively, you could just use tcpdump. ;-) - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- bandwidth by user or process id Patrick Kurz (Oct 04)
- Re: bandwidth by user or process id Rob Hasselbaum (Oct 04)
- Re: bandwidth by user or process id Patrick Kurz (Oct 04)
- Re: bandwidth by user or process id Rob Hasselbaum (Oct 04)
- Re: bandwidth by user or process id Rob Hasselbaum (Oct 04)
- Re: bandwidth by user or process id Patrick Kurz (Oct 05)
- Re: bandwidth by user or process id Gert Doering (Oct 05)
- Re: bandwidth by user or process id Rob Hasselbaum (Oct 05)
- Re: bandwidth by user or process id Patrick Kurz (Oct 06)
- Re: bandwidth by user or process id Gert Doering (Oct 06)
- Re: bandwidth by user or process id Patrick Kurz (Oct 04)
- Re: bandwidth by user or process id Rob Hasselbaum (Oct 04)
- Re: bandwidth by user or process id Gerald Combs (Oct 05)
- Re: bandwidth by user or process id Patrick Kurz (Oct 06)