On Mar 12, 2013 4:20 AM, "Hans Kokx" <[email protected]> wrote: > > This sounded like an interesting challenge, so I whipped something together that seems to work. Maybe it's what you're looking for, or maybe not. > > So, the idea I came up with is relatively simple: each process is going to open an ephemeral port to connect to the known port of the service. Let's take, for example, a simple SOCKS5 proxy I've tossed together over SSH: > > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & > > I typically use this everywhere that's not at home, and push ALL my traffic through it. Hey, security. > > Anywho, on my mac, I was able to find the ephemeral port that it was using: > > $ netstat -ntl|grep 192.168.1.5|grep 22 > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 ESTABLISHED > > Now we've got an ephemeral port to work with. Some clever awk- and sed- foo and you can grab JUST that port. > > Capturing the traffic is simple enough…. > > $ tcpdump src port 61697 > > So, we've got the traffic for this individual socket, but who does it belong to? > > $ sudo lsof -i 4tcp:61697 > Password: > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) > > There's your pid and process name.
If you add the p parameter to netstat it gives you the process id associated with the connection. Robin > This was fun. Thanks for the challenge. :) > -- > Hans Kokx > > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: >> >> I have been trying to figure out a way to "capture/filter" network >> traffic per process, not per host/interface in a windows environment >> "even though I'd be curious to know how that could be done in *n?x/OS >> X" . >> >> What I want to achieve is create a PCAP file for each process id that >> was executed and communicated over the network. >> >> help, please. >> Thanks and regards, >> >> Sherif. >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
