TCPdump is a very powerful command line interface packet sniffer.

It must be launched as root or with superuser rights because of the its use of the promiscuous mode or to be sure to have sufficent privilileges on a network device or a socket. Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface. Wireshark can be used to read the logs captured by TCPdump too.

Web resources:

http://packetpushers.net/masterclass-tcpdump-basics/

http://www.yourownlinux.com/2013/07/linux-command-tcpdump.html

http://www.tcpdump.org/tcpdump_man.html
http://www.wireshark.org/docs/

How can I capture network traffic of a single process?

Sadly a network sniffing tool works at the lowest level of the net stack, trying to catch everything, it’s completely unaware of processes running on the OS. It’d be extremely difficult to find out what’s originated a certain call. A packet sniffer could eventually figure out (via the port number) a process ID but cannot figure out which process did a DNS lookup as this is completely independent (that’s most probably the kernel net stack that triggered the call). But with filtering and stoping other processes you should be able to achieve your goal

To start and monitor an new process:

strace -f -e trace=network -s 10000 PROCESS ARGUMENTS

To monitor an existing process with a known pid:

strace -p $PID -f -e trace=network -s 10000

strace ping http://www.mycompany.com

netstat -taucp | grep <pid or process name> : That will show the connections an application is making including the port being used

Linux:

netstat -nutp (for outbound connections)
netstat -lnutp (for inbound connections)

Windows:
netstat -anb | more

Read more at http://www.singlehop.com/blog/mastering-the-abuse-process-tracking-down-abusive-activity/#gzTgogFJR7PMRlKu.99

If you want to check what processes are using ports you can try this command : lsof -i   or lsof -p (depending the version)

About these ads