6

I want to log all network traffic on a Mac OS X server (like tcpdump does), but including the ID of the process that is responsible. Using lsof only gives me the current connections, not the past ones.

Is there a way to do this?

Regards, Jochen

Jochen
  • 191
  • 1
  • 1
  • 7

4 Answers4

10

While the nettop is nice for viewing the snapshot of current connections, you can use the tcpdump to collect the data and process information as well. With tcpdump use the option -k to display metadata for the captured traffic. 

   -k     Control the display of packet metadata via an optional metadata_arg argument. This is useful when displaying packet saved
          in the pcap-ng file format or with interfaces that support the PKTAP data link type.

          By default, when the metadata_arg optional argument is not  specified,  any  available  packet  metadata  information  is
          printed out.

          The  metadata_arg  argument  controls  the  display of specific packet metadata information using a flag word, where each
          character corresponds to a type of packet metadata as follows:

                 I     interface name (or interface ID)
                 N     process name
                 P     process ID
                 S     service class
                 D     direction
                 C     comment

          This is an Apple modification.

So for example displaying the process id and process name, you can do this:

tcpdump -k NP
Toni
  • 216
  • 2
  • 3
4

I recently had this problem too. One approach you can potentially take is to use both tcpdump and nettop in parallel (each, side by side, in their own terminal shells), and visually observe as the network traffic manifests.

For example, my firewall recently caught suspicious looking network traffic coming out of my Mac's Ethernet, on a private subnet which I did not recognize and on a port (TCP 7000) which looked unusual. In one terminal shell I ran:

$ sudo tcpdump port 7000

and in the other terminal shell I ran:

$ sudo nettop -m tcp

When the network traffic showed up via tcpdump, it nearly instantly was also was added to the nettop output, which indicated it was Apple's AirPlay helper daemon running with process ID (PID) 87 in this example:

AirPlayXPCHelpe.87

This may not necessarily be practical for observing all situations where you're trying to catch something on your network which looks anomalous but as a starting point may be worth trying vs writing a probably more complex DTrace script.

user3051849
  • 41
  • 2
0

Sadly, the best way to do this (tcpsnoop, which uses DTrace to do exactly what you describe) does not work on the Mac OS X implementation of dtrace. You'd need some kind of application firewall (Little Snitch for example) but that's more of a desktop / single user thing than something you want running on your server.

This seems like an odd requirement actually, are you trying to make an intrusion detection system, or just figure out what is causing network access?

eric sorenson
  • 971
  • 8
  • 10
0

I was going down this path for the first time just now. I found DTrace, while powerful, is now difficult to do due to the SIP system. I have Little Snitch installed for regular firewall purposes, but I wanted to start logging data as well.

Nobody here has mentioned that nettop has a logging mode which will output to CSV, and ultimately that's what I would like to get to. This seems to be fairly equivalent to the tcpdump -k NP approach. However, it didn't require me to 'sudo' the command.

I thought I'd just leave that extra note in case it's ever useful to anyone.

Tennessee Leeuwenburg
  • 101
  • 1