9

I sometimes come upon machine with tap interfaces (eg, when KVM is running). How can I know which process is attached to the TAP interface?

Paulo Tomé
  • 3,782
user368507
  • 2,173

3 Answers3

5

Each file descriptor has a /proc/pid/fdinfo/num entry, like:

# cat /proc/24332/fdinfo/28
pos:    0
flags:  0104002
mnt_id: 18
iff:    tap0123acdc-66

So, with the interface name, you can get the pid with:

# egrep -l iff:.*tap0123acdc-66 /proc/*/fdinfo/* 2>/dev/null|cut -d/ -f3
24332
jjo
  • 151
  • Works for me: % sudo bash -c 'grep -l iff:.*vnet0 /proc/*/fdinfo/* 2>/dev/null | cut -d/ -f3' 4143 % pgrep qemu 4143

    Given the fact that there is a name parameter shown in the output of ps -ef for qemu processes, e.g. qemu-system-x86_64 -enable-kvm -name debian-8 it should be easy to find out to which VM a pid and an interface corresponds to.

     – Dmitrii S. May 10 '16 at 19:34
2

This got me wondering and I had a look at the Linux kernel source (I'm assuming your question is about Linux).

It appears the answer's more difficult than you'd expect. This TUN/TAP API tutorial page offers some insight. Basically, your program allocates a new TUN/TAP device by opening /dev/net/tun and sending it the TUNSETIFF ioctl. If all goes well, an interface is created, the kernel gives you its name and a file descriptor, and that's how you manage it.

There are two catches here:

  1. The kernel doesn't store the PID of the process that sent the ioctl in struct tun_struct (TUN and TAP largely share the same data structures).
  2. A process may mark an interface as persistent, close its file descriptor and thereafter use it as a normal network interface.

In practice, I suspect 2 doesn't happen much. Checking out an openvpn process with lsof reveals it's still got its file descriptor to the TAP device open and obviously using it, but since /dev/net/tun is a sort of multiplexing device like /dev/ptmx, you can use lsof to find out what processes are currently using a TUN/TAP device, but you can't know what process is using what device.

There are oblique ways of solving the underlying problem. For OpenVPN, I use a tunnel setup script that names the tunX/tapX devices with a more descriptive name that includes the basename of the OpenVPN config file. So, /etc/openvpn/foo.conf leads to a vpn-foo device. Then I can correlate the OpenvVPN process with the interface it's using. Haven't had to do this with QEmu/KVM yet, though.

Alexios
  • 19,157
  • Ok. I was suspecting too that the "multiplexing" /dev/net/tun would prevent us to know what tap interface exactly a process is attached too. – user368507 Jun 17 '12 at 15:38
1

On FreeBSD or any other BSD derivative:

ifconfig tap0

should show you which process is connected to the interface:

tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 58:9c:fc:10:8f:2b
    groups: tap
    media: Ethernet autoselect
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    Opened by PID 2672
kworr
  • 405
  • What OS and version are you trying this on? It'd be VERY handy to have this information (I run a box with dozens of VPN endpoints), but the Debian ifconfig doesn't show this. Mind you, these are tap devices created by OpenVPN — though I don't see why there should be a difference. – Alexios Jun 16 '12 at 11:17
  • This is about FreeBSD or any other BSD derivative. – kworr Feb 26 '15 at 15:19