I would like to figure out which processes are communicating with which websites over a period of time. All what I found programs like ss that list the connections that open this instant and then exit.
What I, actually, want is something like wireshark, but one that would log process names.
Is there really no such a program?
Best Answer
If you have a recent kernel (preferably at least 4.9, but apparently some things work at 4.2), then you can take advantage of the new dtrace facility that allows you to intercept every tcp
connect()
call in the kernel and show the process id, remote ip address and port.Since this does not poll, you will not miss any short-lived connections. From the Brendan Gregg blog of 2016 typical output is
Further examples are in the bcc-tools package source. Built packages to install are available for several distributions or you can follow the compilation instructions.