Wow! ephemeral ports! that was quick and dirty :) The downside of your approach is that: 1) it is "ephemeral port" based, not "process based" ... allow me to demonstrate: - iexplorer.exe communicated to google.com:80 using "ephemeral port:12345", got what it was looking for, connection FIN, 12345 traffic does not belong to iexplorer.exe anymore... another process runs ... and used 12345, we have a problem "I know this is a low possibility, and I know that I may pair the process:port pair as the filename to avoid confusion, but I hope you got my point".
2) we have to keep an infinite loop running to iterate through "netstat" and parse results, then start tcpdump for each new ephemeral port "one process may be communicating to many hosts", then keep track of the spawned tcpdump(s) so they may be killed when the "communicating-process-specific-ephemeral-port" ends communications, this is guaranteed to kill all the cores the box has "it's not only the loop", and will *surely* miss lots of stuff since the loop might not be quick enough, needless to say that mergecap-ing is going to be messy. 3) Fire-and-forget outbound UDP traffic? I'm glad you had fun ;) I definitely appreciated your idea of utilizing ephemeral ports "thank you", but I will keep looking for something "truly" process oriented that is guaranteed to not miss anything "I don't mind 100% CPU". Regards, Sherif. On Tue, Mar 12, 2013 at 7:18 AM, Hans Kokx <[email protected]> wrote: > This sounded like an interesting challenge, so I whipped something together > that seems to work. Maybe it's what you're looking for, or maybe not. > > So, the idea I came up with is relatively simple: each process is going to > open an ephemeral port to connect to the known port of the service. Let's > take, for example, a simple SOCKS5 proxy I've tossed together over SSH: > > nohup ssh -D 8000 -C -N [email protected] >/dev/null 2>&1 & > > I typically use this everywhere that's not at home, and push ALL my traffic > through it. Hey, security. > > Anywho, on my mac, I was able to find the ephemeral port that it was using: > > $ netstat -ntl|grep 192.168.1.5|grep 22 > tcp4 0 0 192.168.1.156.61697 192.168.1.5.22 > ESTABLISHED > > Now we've got an ephemeral port to work with. Some clever awk- and sed- foo > and you can grab JUST that port. > > Capturing the traffic is simple enough…. > > $ tcpdump src port 61697 > > So, we've got the traffic for this individual socket, but who does it belong > to? > > $ sudo lsof -i 4tcp:61697 > Password: > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP > 192.168.1.156:61697->myhost.com:ssh (ESTABLISHED) > > There's your pid and process name. > > This was fun. Thanks for the challenge. :) > -- > Hans Kokx > > On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote: > > I have been trying to figure out a way to "capture/filter" network > traffic per process, not per host/interface in a windows environment > "even though I'd be curious to know how that could be done in *n?x/OS > X" . > > What I want to achieve is create a PCAP file for each process id that > was executed and communicated over the network. > > help, please. > Thanks and regards, > > Sherif. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
