strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;
If the process is already started and you know its PID you can use the following
1
strace -f -e trace=network -s 10000 -p <PID>;
Another alternative is more complex, using network namespaces, check the above link or use the tool nsntrace, but either can only work on new process, you can not change existent process network namespaces (AFAIK)
UPDATE:
you can also install the tool bpfcc-tools (search for your distro, many have it included already) and use the command sudo tcptracer-bpfcc -v -p (PID)
While this will not show the packets, it will list network connections for that pid. You can remove the -p (PID) to list all connections per process. This may be useful for those tracking short live connections, not the network payload.
In my case I wanted to capture syslog traffic but only from rsyslog. It only had one listening port under lsof -p $(pidof rsyslog) and always used that as the source port, so I was able to get the packets using:
tcpdump -i eth0 -A "host 10.0.0.100 and dst port 514 and src port $(lsof -i 4 -a -p `pidof rsyslogd` | grep -Po '(?<=\*:)[0-9]*') and udp"
Note that the output of the commands might be different on different versions/distributions. Therefore, you'd better check the right fileds are cut before using the script.
Also, this script does not monitor the ports that are opened later. For that, I would consider a more complicated script that checks ports regularly (using something like watch)
And remember to kill all of the tcpdump processes afterwards.
发布评论
评论(5)
不是直接的 tcpdump,但可以为您提供有关网络流量的信息,请检查 https://bytefreaks.net/gnulinux/how-to-capture-all-network-traffic-of-a-single-process
如果该进程已启动并且您知道它的 PID 你可以使用以下命令
1
另一种选择更复杂,使用网络命名空间,检查上面的链接或使用工具 nsntrace,但是要么只能在新进程上工作,不能更改现有进程网络命名空间(AFAIK)
更新:
您还可以安装工具 bpfcc-tools(搜索您的发行版,许多发行版已包含该工具)并使用命令
sudo tcptracer-bpfcc -v -p (PID)虽然这不会显示数据包,但它将列出该 pid 的网络连接。您可以删除
-p (PID)以列出每个进程的所有连接。这对于那些跟踪短实时连接而不是网络负载的人来说可能很有用。Not directly a tcpdump, but can give you info about the network traffic, check https://bytefreaks.net/gnulinux/how-to-capture-all-network-traffic-of-a-single-process
If the process is already started and you know its PID you can use the following
1
Another alternative is more complex, using network namespaces, check the above link or use the tool nsntrace, but either can only work on new process, you can not change existent process network namespaces (AFAIK)
UPDATE:
you can also install the tool bpfcc-tools (search for your distro, many have it included already) and use the command
sudo tcptracer-bpfcc -v -p (PID)While this will not show the packets, it will list network connections for that pid. You can remove the
-p (PID)to list all connections per process. This may be useful for those tracking short live connections, not the network payload.就我而言,我想捕获 syslog 流量,但仅限于 rsyslog。它在 lsof -p $(pidof rsyslog) 下只有一个侦听端口,并且始终将其用作源端口,因此我能够使用以下方式获取数据包:
grep 使用正向回顾断言 将 *:portnumber 转换为端口号。
In my case I wanted to capture syslog traffic but only from rsyslog. It only had one listening port under
lsof -p $(pidof rsyslog)and always used that as the source port, so I was able to get the packets using:The grep uses a positive lookbehind assertion to turn the *:portnumber into just the port number.
我将使用 lsof -i 来获取与我想要的应用程序关联的端口号。
代码如下所示:
process=firefox for _port in `lsof -i | grep $process | cut -d' ' -f18 | cut -d: -f2 | cut -d'-' -f1` do port=$_port [[ "$_port" == +([a-zA-Z]) ]] && port=`cat /etc/services | grep '^$_port' | cut -d' ' -f12 | cut -d'/' -f1 | uniq | head -n 1` echo "tcpdump -w ${port}.pcap port $port &" tcpdump -w ${port}.pcap port $port & done请注意,不同版本/发行版上的命令输出可能有所不同。因此,在使用该脚本之前,最好检查一下是否剪切了正确的字段。
另外,该脚本不会监视稍后打开的端口。为此,我会考虑一个更复杂的脚本,定期检查端口(使用诸如
watch之类的东西),并记住随后杀死所有 tcpdump 进程。
I would use
lsof -ito get the port numbers associated with the application I want.The code would be like this:
process=firefox for _port in `lsof -i | grep $process | cut -d' ' -f18 | cut -d: -f2 | cut -d'-' -f1` do port=$_port [[ "$_port" == +([a-zA-Z]) ]] && port=`cat /etc/services | grep '^$_port' | cut -d' ' -f12 | cut -d'/' -f1 | uniq | head -n 1` echo "tcpdump -w ${port}.pcap port $port &" tcpdump -w ${port}.pcap port $port & doneNote that the output of the commands might be different on different versions/distributions. Therefore, you'd better check the right fileds are cut before using the script.
Also, this script does not monitor the ports that are opened later. For that, I would consider a more complicated script that checks ports regularly (using something like
watch)And remember to kill all of the tcpdump processes afterwards.
https://github.com/comboshreddies/py-strace2pcap
https://github.com/comboshreddies/py-strace2pcap
Tcpdump 可以告诉您数据包来自/到达的 PID/进程。
在您的选项中添加“-k NP”。
支持的版本:tcpdump 版本 4.3.0 -- Apple 版本 56
Tcpdump can tell you the PID/process a packet comes from/to.
Throw '-k NP' in your options.
Version supported: tcpdump version 4.3.0 -- Apple version 56