Program that can log network traffic by the process and domain names

monitoringnetworking

I would like to figure out which processes are communicating with which websites over a period of time. All what I found programs like ss that list the connections that open this instant and then exit.

What I, actually, want is something like wireshark, but one that would log process names.

Is there really no such a program?

Best Answer

If you have a recent kernel (preferably at least 4.9, but apparently some things work at 4.2), then you can take advantage of the new dtrace facility that allows you to intercept every tcp connect() call in the kernel and show the process id, remote ip address and port.

Since this does not poll, you will not miss any short-lived connections. From the Brendan Gregg blog of 2016 typical output is

# tcpconnect
PID    COMM    IP SADDR            DADDR            DPORT
1479   telnet  4  127.0.0.1        127.0.0.1        23
1469   curl    4  10.201.219.236   54.245.105.25    80
1469   curl    4  10.201.219.236   54.67.101.145    80
1991   telnet  6  ::1              ::1              23
2015   ssh     6  fe80::2000:bff:fe82:3ac fe80::2000:bff:fe82:3ac 22

Further examples are in the bcc-tools package source. Built packages to install are available for several distributions or you can follow the compilation instructions.

Related Solutions

Linux Process Monitoring CPU Kill – Is There a Log of Past Threads That Are Now Closed?

No, not by default. There is such a thing as too much logging (especially when you start risking logging the action of writing a log entry…).

BSD process accounting (if you have it, run lastcomm), if active, records the name of every command that is executed and some basic statistics, but not the arguments.

The audit subsystem is more general and more flexible. Install the audit package and read the SuSE audit guide (mostly the part about rules), or try

auditctl -A exit,always -F path=/usr/bin/java -S execve

Or: instead of killing it, kill -STOP it. The STOP suspends the process, no questions asked. You get the option to resume (kill -CONT) or terminate (kill -KILL) later. As long as the process is still around, you can inspect its command line (/proc/12345/cmdline), its memory map (/proc/12345/maps) and so on.

Or: attach a debugger to the process and pause it. It's as simple as gdb --pid 12345 (there may be better options for a Java process); attaching a debugger immediately pauses the process (if you exit the debugger, the process receives a SIGCONT and resumes).

Note that all this only catches OS-level processes, not JVM threads. You need to turn to JVM features to debug threads.

Process Monitoring – Print PIDs and Names of Processes as They Are Created

Linux-specific answer:

perf-tools contains an execsnoop that does exactly this. It uses various Linux-specific features such as ftrace. On Debian, its in the perf-tools-unstable package.

Example of me running man cat in another terminal:

root@Zia:~# execsnoop 
TIME        PID   PPID ARGS
17:24:26  14189  12878 man cat 
17:24:26  14196  14189 tbl 
17:24:26  14195  14189 preconv -e UTF-8 
17:24:26  14199  14189 /bin/sh /usr/bin/nroff -mandoc -Tutf8 
17:24:26  14200  14189 less 
17:24:26  14201  14199 locale charmap 
17:24:26  14202  14199 groff -mtty-char -Tutf8 -mandoc 
17:24:26  14203  14202 troff -mtty-char -mandoc -Tutf8 
17:24:26  14204  14202 grotty

I doubt there is a portable way to do this.

Best Answer

Related Solutions

Linux Process Monitoring CPU Kill – Is There a Log of Past Threads That Are Now Closed?

Process Monitoring – Print PIDs and Names of Processes as They Are Created

Related Question