Home / server / Questions / 196977
Accepted
halp
Asked: 2010-11-02 08:42:41 +0800 CST

How to log all remote destinations a networking process is exchanging data with?

  • 772

When a process is exchanging data over network, I can think of at least the following parameters:

  • a remote host:port pair - it identifies the remote endpoint (there's also the local host:port pair, but the port is generally randomized for outgoing connections, so I don't need it)
  • is it TCP or UDP traffic
  • is it incoming or outgoing traffic

How can I log all this data for a certain process during its whole lifetime? I need this on Linux. I'm not trying to block some traffic, just to log the above details.

As I understand, a network sniffer alone won't do it, since when an IP packet is coming from outside, the sniffer has no idea about which process the packet is for (since this is another layer, the application layer IIRC).

linux networking

3 Answers

  1. I'm not sure if this could be usefull to you, but alternatives are:

    1) if you know the process ID (PID):

     $ lsof -ni4 -p <PID>
    • -n: numeric output (does not lookup host or port)
    • -i4: internet files (open sockets), ipv4

    This will show you only connections initiated from you host.

    2) Another way is to use iptables with LOG target and module owner (-m owner). Something like:

    # iptables -A OUTPUT -m owner <USER ID> -j LOG '[ Some Tag ]'
# iptables -A INPUT -p tcp --dport <SERVICE PORT> -j LOG '[ Some Tag input ]'
# iptables -A INPUT -p udp --dport <SERVICE PORT> -j LOG '[ Some Tag input ]'

    You could grep your syslog for the specified tag. This approach does not allow you to specify a process id, but if it is a daemon that only runs this service, could be what you want.

    • 0
  2. Best Answer

    If this is just for one process you could run the process under the control of strace and log the data. strace will show all of the system calls, and you can then postprocess all of the logs to see what your process was up to.

    • 0

  3. Check out "tcpspy". It should do what you want. However, the homepage for the tool isn't currently responding, so you may have to look at it from FSF's listing or the Debian's archive.

    Here's the description:

    tcpspy is an administrator's tool that logs information about incoming and outgoing TCP/IP connections. It's written in C and uses no libpcap functions, unlike tcpdump.

    Connections are selected for logging with rules, similarly to the filter expressions accepted by tcpdump. The following information is logged: username, local address and port, remote address and port, and, optionally, the executable filename.

    At present, only the IPv4 protocol is supported.

    Here's the relevant links:

    And here's the URL listed in the Debian package as the project's homepage:

    • 0