如何捕获每个PID的网络数据包? [英] How can I capture network packets per PID?

问题描述

任何人都知道让Linux显示到/从google chrome到Internet的每个数据包"或从/telnet进程到PID 1025的每个Internet数据包"的简单方法吗?

Anyone know an easy way to ask Linux to "display every internet packet to/from google chrome" or "display every internet packet to/from telnet process with PID 10275"?

telnet示例并不太有用，因为我可以使用wireshark或tcpdump查看涉及端口23的所有TCP会话.现在，再也没有人使用telnet.但是，嗅探所有使用多个端口的复杂应用程序中的所有数据包，似乎是很有用的.

The telnet example is not too useful, since I can just use wireshark or tcpdump to see all TCP conversations involving port 23. That and nobody uses telnet anymore. But sniffing all packets to/from complex applications which use many ports seems like a useful thing.

我找到了一些相关的答案，探索了各种不同的方式来验证端口和PID(或程序名称)等，但是关于数据包却一无所获

I found some related answers exploring different ways to corroborate ports and PIDs (or programs names) and such, but nothing about packets

• 如何将网络连接与PID绑定而不使用lsof或netstat?
• 如何获取端口与打开它们的应用程序相关联?
• 如何做为"netstat -p"，但是更快?

• How to tie a network connection to a PID without using lsof or netstat?
• How I can get ports associated to the application that opened them?
• How to do like "netstat -p", but faster?

好像有一段时间前有人愿意为此答案付费:

Looks like someone might have been willing to pay for this answer a while back:

• http://www.freelancer.com/projects/Perl-CGI-CC/tcpdump-PID-relation.html

NetHogs 对于快速查看哪些程序正在通过接口创建流量很有用，但是它没有一种捕获数据包的方法.

NetHogs is useful for quickly seeing what programs are creating traffic over an interface, but it doesn't have a way to capture packets.

推荐答案

不直接是tcpdump，但可以为您提供有关网络流量的信息，请检查

Not directly a tcpdump, but can give you info about the network traffic, check https://bytefreaks.net/gnulinux/how-to-capture-all-network-traffic-of-a-single-process

strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;

如果该进程已经启动并且知道其PID，则可以使用以下命令 1

If the process is already started and you know its PID you can use the following 1

strace -f -e trace=network -s 10000 -p <PID>;

使用网络名称空间，检查以上链接或使用工具 nsntrace ，另一种替代方法则更为复杂. ，但只能在新流程上使用，不能更改现有的流程网络名称空间(AFAIK)

Another alternative is more complex, using network namespaces, check the above link or use the tool nsntrace, but either can only work on new process, you can not change existent process network namespaces (AFAIK)

这篇关于如何捕获每个PID的网络数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！