How do I view all the traffic from a specific process? A process may open and close sockets, change port numbers etc. ... is there a way to track all this automatically so that, e.g., I only see traffic originating from my email client or received by my web browser?
You're better off using the native syscall trace mechanism. E.g. under Linux, use "strace -e trace=socket,bind,connect,read,write -f command-and-args". You'll get a lot of unrelated output, but what you're looking for should be in there.
Or if you really want the output in pcap format, you could write a shared library to redefine connect(2), bind(2), and close(2) and LD_PRELOAD it. The shared library can do the underlying call and then start tcpdump with args derived from the provided data structure for connect() and bind(), and kill tcpdump for close(). You'll have to play games with dlopen, dlsym, etc, and keep track of which descriptors you are running tcpdump on.
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
