I am looking for a method / hack / kernel module to capture network traffic of a PID and all it's forks / child processes.
I have a firefox applications that opens some web pages and starts to stream stuff with flash streaming, wmv, or any other streaming protocol as well as "simple" download of img, js and other "static" content.
I'm interested in capturing this traffic and ultimately isolation these streams.
Wireshark does not support capturing by a process id, but I assume this can be worked around (and this is the core of my question). Obviously setting up a full virtual machine and running just firefox with wireshark in it will work but I be much more satisfied with a lightweight-er solution, perhaps based on chroot? combined with iptables owner module.
So ideas or complete solutions would be greatly appreciated.
-- EDIT:
People are rightfully guessing the OS I'm working on: The question is mainly pointed towards a Linux OS, but should a workable solution be found on Windows / OpenSolaris / MacOSX or any other reasonably hacker accessible OS that answer would be accepted.
Take a look at the ULOG target for iptables, combined with the owner match module. It's not quite what you asked for, but if you create a user specifically for your testing and run only the application you're trying to watch as that user, you should be pretty close.
ULOGD, at least as far as I can tell, will write a file with raw packets. I haven't done it myself so I can't vouch for it but it looks like it will do what you want.
Ideally, you could separate out the Firefox traffic by adding another IP address to your machine, and making Firefox use it when opening outbound connections.
This is possible, eg with OpenSSH:
But I couldn't find any command-line option or preferences entry for that in Firefox.
Instead, you could use a simple (local) HTTP proxy, like
tinyproxy
, again with the proxy using a unique IP address for its outbound traffic.tinyproxy
does this with theBind
setting intinyproxy.conf
, eg:Finally, you could investigate something a bit more lightweight than a full VM. You mentioned
iptables
so I assume you're using a Linux host; there are a few solutions like LXC and OpenVZ that might do the trick, if HTTP proxying isn't an option for you.You could set up a http proxy and set Firefox to go through it, then analyze that. If you run the proxy through a different machine (even a VM) that's not doing anything, you could throw Wireshark on that... I would think that that would sufficiently isolate the traffic.
Install HTTPWatch on your desktop and click record before you start browsing.