37

I want to trace the networking activity of a command, I tried tcpdump and strace without success.

For an example, If I am installing a package or using any command that tries to reach some site, I want to view that networking activity (the site it tries to reach).

I guess we can do this by using tcpdump. I tried but it is tracking all the networking activity of my system. Let's say if I run multiple networking related commmands and I want to track only particular command networking activity, that time it is difficult to find out the exact solution.

Is there a way to do that?

UPDATE:

I don't want to track everything that goes on my network interface. I just want to track the command (for an example #yum install -y vim) networking activity. Such as the site it tries to reach.

Buvanesh Kumar
  • 563

4 Answers4

46

netstat for simplicity

Using netstat and grepping on the PID or process name:

# netstat -np --inet | grep "thunderbird"
tcp        0      0 192.168.134.142:45348   192.168.138.30:143      ESTABLISHED 16875/thunderbird
tcp        0      0 192.168.134.142:58470   192.168.138.30:443      ESTABLISHED 16875/thunderbird

And you could use watch for dynamic updates:

watch 'netstat -np --inet | grep "thunderbird"'

With:

  • -n: Show numerical addresses instead of trying to determine symbolic host, port or user names
  • -p: Show the PID and name of the program to which each socket belongs.
  • --inet: Only show raw, udp and tcp protocol sockets.

strace for verbosity

You said you tried the strace tool, but did you try the option trace=network? Note that the output can be quite verbose, so you might need some grepping. You could start by grepping on "sin_addr".

 strace -f -e trace=network <your command> 2>&1 | grep sin_addr

Or, for an already running process, use the PID:

 strace -f -e trace=network -p <PID> 2>&1 | grep sin_addr
Community
  • 1
Gohu
  • 2,064
  • +1 for netstat which is IMHO the simplest and neatest solution. – dr_ Jul 05 '17 at 08:02
  • @Gohu I did the same for dnf. but no luck. I tried installing some packages using dnf, then I see that the dnf process is running (process name: dnf according to top and ps aux command). Sadly, I didn't get any output from netstat -np --inet | grep "dnf". – Buvanesh Kumar Jul 05 '17 at 08:28
  • +1 for strace. It is resolved my issue. I can able to get the IP addresses. Thank you so much for your answer :) @Gohu. I guess it is giving all the IP addresses that it reaches over the network (e.g. router IP and other IPs). If you know, is it possible to track only destination IP? – Buvanesh Kumar Jul 05 '17 at 08:43
  • 1
    You can try and filter the strace output some more, only keeping connect syscalls and removing dns requests (port 53) with: | grep connect | grep -v 'sin_port=htons(53)' – Gohu Jul 05 '17 at 08:52
  • +1 for the trace-network option on strace – phreed May 24 '19 at 16:33
8

sysdig allows you to monitor all the activity of the kernel or of several commands running in your system in a go, including and not restricted to network activity.

As the output can be large, you have to build filters, the default page for the most basic filters is quite comprehensible.

It also has the advantage it is not used as an application wrapper as in strace, and it can be quite powerful.

From Sysdig Examples

Networking

See the top processes in terms of network bandwidth usage

sysdig -c topprocs_net

Show the network data exchanged with the host 192.168.0.1

As binary:

sysdig -s2000 -X -c echo_fds fd.cip=192.168.0.1

As ASCII:

sysdig -s2000 -A -c echo_fds fd.cip=192.168.0.1

See the top local server ports:

In terms of established connections:

sysdig -c fdcount_by fd.sport "evt.type=accept"

In terms of total bytes:

sysdig -c fdbytes_by fd.sport

See the top client IPs

In terms of established connections

sysdig -c fdcount_by fd.cip "evt.type=accept"

In terms of total bytes

sysdig -c fdbytes_by fd.cip

List all the incoming connections that are not served by apache.

sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"
Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
8

I'd create a new network namespace, bridge it over to the real network, and then monitor the bridge with tcpdump.

Simon Richter
  • 4,469
2

You could use wireshark to sniff all the the input and output traffic of a network interface. In case you need an option without GUI you could use tshark.

With both option you can see all the network traffic and save it to later analyze all the connections established.

Ricard Molins
  • 255
  • 1
    As I said earlier, If I run multiple networking related commands, then how can I know which command is getting which site? – Buvanesh Kumar Jul 05 '17 at 07:22
  • This is a more generic answer. That I already know that we can track networking activity of a networking interface :). I'm looking for tracking a particular command network statics. – Buvanesh Kumar Jul 05 '17 at 07:24
  • If you know which ports the command use you may be able to filter the sniff to limit it to the command you want. However this may be not doable in you situation. – Ricard Molins Jul 05 '17 at 07:59