I want to monitor and log all traffic that a specific process produces.
I know about tcpdump, but it seems it doesn't support filtering by process (pid/path, or at least user).
It there any other way to log all traffic from a process? Ideally I should be able to filter ports as well.
Thanks!
You should use strace command:
strace -o /tmp/network.out -e trace=network -fp <PID>
Related
Is there an auditing tool to check which and when ports are opened and closed on Linux?
My goal is to run my application and check its ports usage.
lsof or netstat don't fit because they just tell me which ports are currently opened, and looping on such command won't give me accurate results...
strace -f -e trace=bind mvn install
strace will displays the bind sytem call each time my application an the children processes open a port.
I want to check the network bandwidth used by my process.
For this i found that nethogs tool is useful. Using this tool i can see which process is eating up a network bandwidth and process behaviour.
But how do I capture data from nethogs for a my process and store it into log file ?
You can run nethogs in background in tracemode and write output to a file like this:
sudo nethogs -t eth1 &> /var/tmp/nethogs.log &
Download and build the nethogs-parser as described here.
Then after you have accumulated enough data you can run the parser to see the results:
./hogs -type=pretty /var/tmp/nethogs.log
Make sure to kill the running nethogs process when you are done collecting data.
More info here on automating the task.
I dont know when these options got implemented but you can use nethogs -t or nethogs -b, the pid and user are strangely placed at the end of the pid command string, but easy enough to parse.
I think you need to use the latest cvs version 0.8.1-SNAPSHOT
You can use this command to capture output:
nethogs -d 5 | sed 's/[^[:print:][:cntrl:]]//g' > output.txt
The right command of nethogs is
nethogs -d 1 eth0 > output.txt
You need to specify the network interface otherwise, the default interface eth0 will be used. Sometime, nethogs might not show the proper output because of the network interface. It is always better to provide the network interface and generate some traffic during the experimentation. You can print the output to a file by adding > output.txt
-d argument specifies how frequently the output will be shown. Here, I gave 1, this indicates that the output will be shown per second.
Hope this might be useful.
i want to control the TTYs (serial port )used by applications on my pc.
there is an applications that shows the status of each port by indicating the processes which are using?
Thanks a lot!
Try to use the command lsof.
lsof /dev/ttyX
To get the PID directly, use:
lsof -Fp /dev/ttyX
How would I track the CPU and Ram usage for a process that may run, stop, and then re-run with a different PID?
I am looking to track this information for all processes on a Linux server but the problem is when the process stops and restarts, it will have a different PID and I am not sure how to identify it as the same process.
What you're looking for here is called "process accounting".
http://tldp.org/HOWTO/Process-Accounting/
If you know the command of the process, just pipe it to a grep like this:
ps ux | grep yourcommandgoeshere
You can setup a crontab to record output of commands like
top -b -n1 | grep
ps ux | grep
Alternatively, you can use sealion service. By simply installing agent and configuring it according to your needs in simple steps, you can see output of the executed commands online.
Hope it helps...
I'm trying to use fuser to find the pids of processes I own which have certain TCP ports open.
In the fuser man page it says:
... The most common time this problem occurs is when looking for TCP or UDP sockets when running fuser as a non-root user. In this case fuser will report no access. ...
However, on my Ubuntu box, fuser does report sockets open for processes that I own, e.g.:
perl -MIO::Socket 'IO::Socket::INET->new(Listen => 10, LocalPort => 3000)' &
fuser -n tcp 3000
Question: how are things set up to allow this to happen? Is it a kernel config option?
Thanks!
Note: the question is: how are some linux distros configured so that fuser will report processes owning sockets when fuser is run as a normal user? One one Ubuntu distro "fuser -n tcp 3000" will report a process if I own the process, yet on another linux distro (I think Centos) it won't report the process even if I own it.
fuser goes through the /proc file system (proc(5)) working through the /proc/[pid]/fd/ directory and checking the file descriptors. Processes owned by you have corresponding /proc entries again owned by you. This allows you to check your processes, but not others.
One very useful tool to see what given program is doing is strace(1). For example, you can see what system calls, and with what arguments, are done by the fuser:
~$ strace fuser -n tcp 3000