How can I capture network traffic of a single process?

1

This is a dirty hack but I'd suggest either a divert or a log target with iptables for a given UID. eg:

iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner $USER -m tcp -j LOG iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $USER -m udp -j LOG

It might also be worth looking into something like '--log-tcp-sequence', '--log-tcp-options', '--log-ip-options', '--log-uid' for that log target. Though I suspect that will only help you post process a pcap that includes a ton of other data.

The NFLOG target might be useful if you want to flag packets and then certain tagged packets will be sent over a netlink socket to a process of your choosing. I wonder if that would be useful for hacking up something with wireshark and your specific application running as a specific...

0 0
2


Question:

I would like to examine the network traffic being handled by a single process, but simple network captures won't work since I am dealing with such a busy system (lots of other traffic happening at the same time). Is there a way to isolate a tcpdump or wireshark capture to the networking traffic of a single specific process? (Using netstat is insufficient.)


Solution:1

Indeed there is a way, using the Wireshark filters. But you cannot filter directly by process name or PID (because they are not a network quantities).

You should first figure out the protocols and the ports used by your process (the netstat command in the previous comment works well).

Then use Wireshark to filter the inbound (or outbound) port with the one you just retrieve. That should isolate the incoming and outcoming traffic of your process.


Solution:2

To start and monitor an new process:

strace -f -e...
0 0
3
...
0 0
4

I am looking for a method / hack / kernel module to capture network traffic of a PID and all it's forks / child processes.

I have a firefox applications that opens some web pages and starts to stream stuff with flash streaming, wmv, or any other streaming protocol as well as "simple" download of img, js and other "static" content.

I'm interested in capturing this traffic and ultimately isolation these streams.

Wireshark does not support capturing by a process id, but I assume this can be worked around (and this is the core of my question). Obviously setting up a full virtual machine and running just firefox with wireshark in it will work but I be much more satisfied with a lightweight-er solution, perhaps based on chroot? combined with iptables owner module.

So ideas or complete solutions would be greatly appreciated.

-- EDIT:

People are rightfully guessing the OS I'm working on: The question is mainly pointed towards a Linux OS, but should...

0 0
5

On windows, you should be able to use Microsoft Network Monitor to trace a single process. You'll want to use the ProcessName or ProcessID filters to select just the process you're interested in.

If NetMon does not return results in a format that is usable to you, then you might also try an experimental version of WireShark that adds support for pid filtering on windows.

Download: [Wireshark-dev] [PATCH] Filter by local process name

On linux, you should be able to use strace to monitor a single process, but it will likely not be formatted just the way you want. To trace an existing process:

strace -p $PID -f -e trace=network -s $MAXLEN

To strat a process with tracing:

strace -f -e trace=network -s $MAXLEN PATH/TO/PROCESS ARGUMENTS

For further info see: man strace

References: Conversation filtering and AskUbuntu capture single...

0 0
6

You may dump application generated traffic by different methods:

If you know the ports the application is using, you can run tcpdump or wireshark with specific filtering rules for these ports.

If that is not an option, you may mark application packets using an iptables rule, matching the owner of the process. You may need to create a new user account to completely isolate the process. Then you can capture the traffic that only matches the rule.

You may find more complete information on this related topic: https://askubuntu.com/questions/11709/how-can-i-capture-network-traffic-of-a-single-process

You may also find interesting this program tracedump as stated by previous topic....

0 0
7

I have read a paper which proposes an approach to capture network traffic from a specific android application.It says "We used tcpdump to collect all the network traffic from the virtual machine. We ported the strace utility to Android to log each networking system call performed by the app.We identified all the threads started by the app using the process id (pid) of the app. Based on this thread information,we can filter out the traffic that does not origin from the app". But I still could not know the operational principle.So how can I capture network traffic from a specific android application?Thanks for answering.

You can also use SandroProxy.It can capture also apps flow that do not respect android os proxy settings. There is also option to create pcap files for ssl flow. One option is also that creates ssl that can be decrypted with wireshark.

Idea is to intercept http/https flow as normal proxy or transparent proxy with iptables help, store it as...

0 0
8

I am trying to automate the process of capturing network packets send by a particular application.I don't have problem in windows as I am using Microsoft Network Monitoring tool and that gives all the traffic send based on the process.Now the problem is that we need to achieve the same result in mac as well.

We used Wire-shark in mac for capturing network traffic after a long research but still wireshark does not capture by process name.We tried some tools that captures based on process name but with very limited information. We need the full packet informations to be captured.

What will be the best way to achieve the result in mac as like we are getting in windows?

what all parameters can be used to filter the wanted data...?

I am in fact trying to get the port number used by the process but is that a right approach ? I am not sure we can zero down based on port number.

Any help would be greatly appreciated...

Thanks in...

0 0
9

You can also use SandroProxy.It can capture also apps flow that do not respect android os proxy settings. There is also option to create pcap files for ssl flow. One option is also that creates ssl that can be decrypted with wireshark.

Idea is to intercept http/https flow as normal proxy or transparent proxy with iptables help, store it as request/responses or pcap files and forwarded further to server.

How to determine who is making requests: When you have open socket to proxy you must match information from /proc/net/tcp or /proc/net/tcp6 to get process uid. With this you can get packagesNames. It can be more that one.

You can examine how to make custom proxy and build one from sources here:

http://code.google.com/p/sandrop/source/browse/projects/SandroProxyPlugin/src/org/sandroproxy/plugin/gui/MainActivity.java

http://code.google.com/p/sandrop/source/browse/projects/SandroProxyPlugin/readme.txt

--- sent by SandroProxy...

0 0
10

If you really want to do all this you're in for a lot of work, so let's see if I can break it down for you:

1) You can capture real time network traffic using Wireshark, tshark, dumpcap or tcpdump, which usually results in one or more network trace files (recorded packets) to be written to disk. For this you might need large amount of storage space and a fast PC architecture that is able to write data as fast to the disks as it is coming in the network card used to capture it.

2) Not really sure what you mean by network parameters - if you decide to capture full packets you'll get everything that was transmitted over the network at the point of capture. Keep in mind that (at least for wired networks) it is usually not possible to have one single capture recording everything that happens in your network, but you'll have to concentrate on one or more specific choke points. Even with wireless installations you might not be able to record everything that is going on since...

0 0
11

Questions:

Anyone know an easy way to ask Linux to “display every internet packet to/from google chrome” or “display every internet packet to/from telnet process with PID 10275”?

The telnet example is not too useful, since I can just use wireshark or tcpdump to see all TCP conversations involving port 23. That and nobody uses telnet anymore. But sniffing all packets to/from complex applications which use many ports seems like a useful thing.

I found some related answers exploring different ways to corroborate ports and PIDs (or programs names) and such, but nothing about packets

Looks like someone might have been willing to pay for this answer a while back:

NetHogs is useful for quickly seeing what programs are creating traffic over an interface, but it doesn’t have a way to capture packets.

Answers:

Tcpdump can tell you the PID/process a packet comes from/to.
Throw ‘-k NP’ in your options.

Version supported: tcpdump...

0 0
12
First of all, using Wireshark to monitor traffic of others is a significant privacy incursion on the others. You should be sure to discuss this openly with the people who use your network, or at least add it to some sort of service agreement or employee agreement before they use it. If they are given no warning at all that you are monitoring their traffic in this way, it may be illegal in some countries, as it is the digital equivalent of wiretapping.

Second, keep in mind that Wireshark is generally only able to capture traffic that directly involves the computer it is running on. Exceptions include UDP multicasting, which is not commonly used; pings; and DNS.

If you want to use Wireshark to capture packets that are being passed through a router, you will need to run Wireshark _on_ that same router. If this router is a "frisbee" (as I like to call them) -- that is, a small box sold by Linksys, Belkin, etc. that has a preconfigured set of features -- then this is very likely...

0 0
13

Network security is one of the main focus areas when creating or monitoring a network. The network administrators carry out random audits of network traffic by capturing the network data and analyzing the packets being transmitted from one host to another. In this article, we will discuss how to capture and analyze network traffic using the NetworkMiner tool, but not until after a quick lesson on packet sniffing.

Sniffing is a technique for gathering network information through capturing network packets. There are two types of sniffing – active sniffing and passive sniffing. In active sniffing, the packet sniffing software sends requests over the network and then in response calculates the packets passing through the network.

Passive sniffing does not rely on sending requests. This technique scans the network traffic without being detected on the network. It can be useful in places where networks are running critical systems like process control, radar systems,...

0 0
14

See Also

HTTPNetworkSniffer - Shows HTTP requests/responses sent between the Web browser and the Web server. NK2Edit - Edit, merge and repair the AutoComplete files (.NK2) of Microsoft Outlook.

Description

NetworkTrafficView is a network monitoring tool that captures the packets pass through your network adapter, and displays general statistics about your network traffic. The packets statistics is grouped by the Ethernet Type, IP Protocol, Source/Destination Addresses, and Source/Destination ports. For every statistics line, the following information is displayed: Ethernet Type (IPv4, IPv6, ARP), IP Protocol (TCP, UDP, ICMP), Source Address, Destination Address, Source Port, Destination Port, Service Name (http, ftp, and so on), Packets Count, Total Packets Size, Total Data Size, Data Speed, Maximum Data Speed, Average Packet Size, First/Last Packet Time, Duration, and process ID/Name (For TCP connections).

Versions History

Version 2.12: Fixed the 'Service...
0 0
15

Related Links

Network Inventory Software - automatically scans all computers on your network and builds reports with details about installed software and hardware, OS and hotfixes, important alerts and other information WiFi Site Survey app - Analyze and Troubleshoot Your Wi-Fi Network with NetSpot on Mac OS X. CurrPorts - Monitoring Opened TCP/IP ports / connections on your network. SocketSniff - Windows Sockets (WinSock) Sniffer

See Also

NK2Edit - Edit, merge and fix the AutoComplete files (.NK2) of Microsoft Outlook.

Description

SmartSniff is a network monitoring utility that allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS)
SmartSniff provides 3 methods for capturing TCP/IP...
0 0
16
Network IPS Evasion Techniques

Network IPS Evasion Techniques

As discussed in the previous section there are a number of methods to analyze attacks, but to better analyze and choose anti-evasion countermeasures it's important to understand the various evasion techniques used by attackers. Network attackers often use network IPS evasion techniques to attempt to bypass the intrusion detection, prevention, and traffic filtering functions provided by network IPS sensors. Some commonly used network IPS evasion techniques are listed below:

Encryption and Tunneling Timing Attacks Resource Exhaustion Traffic Fragmentation Protocol-level Misinterpretation Traffic Substitution and Insertion

Encryption and Tunneling

One common method of evasion used by attackers is to avoid detection simply by encrypting the packets or putting them in a secure tunnel. As discussed now several times, IPS sensors monitor the network and capture the packets as they traverse the network,...

0 0
17

In this Wireshark tutorial, Mike Chapple explains how to sniff network traffic and how to learn if your enterprise's...

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

network security is lacking.

Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues. It's also priced...

0 0
18

Network Monitoring Platforms (NMPs) - Comparison of NMPs, [Contents]

ActionPacked!3 LiveAction is a platform that combines detailed network topology, device, and flow visualizations with direct interactive monitoring and configuration of QoS, NetFlow, LAN, Routing, IP SLA, Medianet, and AVC features embedded inside Cisco devices. Aggregate Network Manager is an enterprise-grade network/application/performance monitoring platform. It tightly integrates with other smart building management systems, such as physical access control, HVAC, lighting, and time/attendance control. Airwave Management PlatformT (AMP) wireless network management software provides centralized control for Wi-Fi networks. Features include: access point configuration management, reporting, user tracking, help desk views, and rogue AP discovery. AKiPS Network Monitor software provides SNMP monitoring from a single VM at 1 minute resolution on networks ranging in size up...
0 0
19

nChronos is designed for monitoring the network traffic in medium and large corporates. It connects to company's core router or switch and monitors all network traffic, emails and chat sessions inbound and outbound. Also, it provides the ability to monitor abnormal traffic and alert upon detection of "Suspicious Conversations". Only when network engineers monitor network activities of the entire network at the packet level are they able to identify abnormal network activities and protect their companies from cyber-crime and cyber-attacks.

nChronos can not only alert an Cyber Attack, but also record all packet data. This ability helps network engineers to "rewind" and "replay" the actual network activity when it occurs. Companies have video cameras to monitor who physically enters their business afterhours, now with nChronos network engineers can monitor and record data activity in a similar manner. The time has come where theft of company assets and intellectual property...

0 0
20

This is important for those who are new to network analysis because they need to connect the machine to the right device to capture ALL traffic on a WIRED network. The users of the following product are recommended to read this post:

Capsa Free Capsa Enterprise Capsa Professional nChronos Standard nChronos Free

If you use Capsa WiFi, you can leave alone this part and take a look at Getting Started with Capsa WiFi.

Using Colasoft Capsa network analyzer (aka. packet sniffer, network analyzer, protocol sniffer, protocol analyzer) to capture network traffic to analyze and troubleshoot network problem is an important job for network management. The charm of the packet analyzer software is that you can use them to listen on a cable (or even wireless magnetic signal) and know what the machines are transmitting and communicating with other hosts and services without installing anything backdoor or keylogger on those machines like a hacker. If you want to use Capsa to capture...

0 0
21

The internet is inherently insecure. Whenever you send data across it, there is a chance that that data could be sniffed, and someone could end up with your personal data. Hopefully once you've read this article, you'll have a better understanding of how to prevent this from happening.

When data travels through the internet, it needs to pass through multiple connections to get to its final destination. Most people don't realise that the data can be read by any machine it passes through on this journey.

With the right tools, you can sniff this data yourself, and any data that passes through your network. This is because most networks actually send data intended for anyone on that network to all machines on your network, and your computer will ignore anything that's not meant for it. This is especially true for most wireless networks, even networks that are 'secured' with WEP/WPA.

Ooh, what's that smell?

Let's try sniffing some of the data on your...

0 0
22

Network Innovation Award: ExtraHop EH8000 for operational intelligence

SearchSecurity.com3 days ago

It's the information you can extract from that raw data -- the analysis that solves problems or even improves revenue -- that determines the value of a network monitoring or application ...

Your website is under constant attack | ZDNet

ZDNet3 days ago

Contrary to those of you who think your website is too small to be noticed, Imperva found the less traffic you get, the more likely you are to be attacked. Honeynet, an international ...

If you’re using an Android phone, Google may be tracking every move you make

Quartz1 day ago

Once those tentacles latch on, phones using Android begin silently transmitting data back to the servers of Google, including everything from GPS coordinates to nearby wifi networks, ...

Grumpy Cat wins $710,000 in copyright lawsuit: 'Memes have rights too,' her lawyer says

El Paso Times11 hours ago

Grumpy Cat...

0 0