On OSX, Little Snitch (commercial desktop firewall) can dump pcaps for selected processes. Only tried it once myself (and I'm not an active little snitch user) but it seems pretty cool and similar to what you're asking for:
http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/ Sandro Gauci Penetration tester and security researcher Email: [email protected] Web: http://enablesecurity.com/ PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C On Tue, Mar 12, 2013 at 1:28 PM, Jim Halfpenny <[email protected]>wrote: > Hi, > Slightly off topic but a useful feature of iptables on Linux is the > ability to filter traffic by user. The link below gives an example of how > to block traffic for a particular user. > > > http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html > > Another great option is --tee which can copy traffic based on whatever > rules you apply. > > > http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ > > So if you wanted to record on a per-user basis on Linux (useful for > service/daemon users) you could user ipt_user and tee functions to mirror > that traffic and tcpdump it out there or just use ipt_user to log flows. > Not entirely relevant but I hope it's useful. > > Regards, > Jim > > On 12 March 2013 11:54, Hans Kokx <[email protected]> wrote: > >> > If you add the p parameter to netstat it gives you the process id >> associated with the connection. >> >> In Linux, yeah. Mac doesn't support -p though. :( >> >> -- >> Hans Kokx >> >> On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote: >> >> >> On Mar 12, 2013 4:20 AM, "Hans Kokx" <[email protected]> wrote: >> > >> > This sounded like an interesting challenge, so I whipped something >> together that seems to work. Maybe it's what you're looking for, or maybe >> not. >> > >> > So, the idea I came up with is relatively simple: each process is going >> to open an ephemeral port to connect to the known port of the service. >> Let's take, for example, a simple SOCKS5 proxy I've tossed together over >> SSH: >> > >> > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & >> > >> > I typically use this everywhere that's not at home, and push ALL my >> traffic through it. Hey, security. >> > >> > Anywho, on my mac, I was able to find the ephemeral port that it was >> using: >> > >> > $ netstat -ntl|grep 192.168.1.5|grep 22 >> > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 >> ESTABLISHED >> > >> > Now we've got an ephemeral port to work with. Some clever awk- and >> sed- foo and you can grab JUST that port. >> > >> > Capturing the traffic is simple enough…. >> > >> > $ tcpdump src port 61697 >> > >> > So, we've got the traffic for this individual socket, but who does it >> belong to? >> > >> > $ sudo lsof -i 4tcp:61697 >> > Password: >> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >> > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP >> 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) >> > >> > There's your pid and process name. >> >> If you add the p parameter to netstat it gives you the process id >> associated with the connection. >> >> Robin >> >> > This was fun. Thanks for the challenge. :) >> > -- >> > Hans Kokx >> > >> > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: >> >> >> >> I have been trying to figure out a way to "capture/filter" network >> >> traffic per process, not per host/interface in a windows environment >> >> "even though I'd be curious to know how that could be done in *n?x/OS >> >> X" . >> >> >> >> What I want to achieve is create a PCAP file for each process id that >> >> was executed and communicated over the network. >> >> >> >> help, please. >> >> Thanks and regards, >> >> >> >> Sherif. >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
