Is there an easy command line tool for packet sniffing a single command on linux?

Question

I'd love if there was a single command line tool for packet sniffing a single command in Linux. something like sniff dumpfile command so that you could just run the command you want to packet sniff in the terminal and get a dump of the packets somewhere else.

I'd like to dump / save / see only the network traffic of the single command that I enter, not all the TCP traffic on my single network interface. So if I was logged into my computer and had IRC running in the background, and I did sniff somefile wget http://www.google.com, I'd want to see all the network traffic that the wget command did to download http://www.google.com. I don't want 'somefile' to have the IRC network traffic confusing things.

There are lots of linux/unix commands that accept a different command and do something different. From sudo (run as superuser), nice change nice level, trickle (limit the bandwidth of a command)

Answer 1

There isn't any that I know of, but it theoretically shouldn't be hard to get something similar. Strace can be used to intercept networking syscalls.

# strace -f -e trace=network -s 10000 /usr/bin/command arguments

This will give you information about the data sent between the kernel and the process. The output of strace isn't exactly what you'd want. However, strace uses the ptrace syscall to intercept system calls. It might be possible to write a program to output the data a little more usefully.

Alternatively, you can also intercept the nice useful socket, bind and listen syscalls. It might be possible to write a small program that used ptrace on these calls and libpcap to dynamically change the capture filter every time a new socket is opened.

Answer 2

Tracedump

Tracedump is a single application IP packet sniffer, which captures all TCP and UDP packets of a single Linux process.

Download and description here: http://mutrics.iitis.pl/tracedump

Answer 3

Try Wireshark -- the command will be tshark

• tshark allows you to select filters on the traffic captured from an interface
• use other utilities like the debian lsof to identify the kind of communication done by your application of interest.

Or, Do you really just want LSOF?

---

I don't think there is a tool that will dynamically keep filtering for all communication associated to a process. However, you could try tracking the process communications with tools like lsof and once you have a good filter that can isolate communication of that process from all other traffic running on your system, you could get the correct capture.

For, example, with wget usually the destination IP address is distinct from other process related traffic. Even if you take something like skype the destination port range is usually fixed for an instance.

---

This is a bit like the uncertainty principle. You can usually know what is going through a set of communication paths (with a sniffer filtering on identified group of flows), or where different communication links are being made (with lsof).

I would really like to know if both can be done for an application. I think it should be feasible. But, have not seen any tool do that yet.

Answer 4

Learn to use filter expressions.

Whilst this won't do the fancy trace stuff that you are asking for.

It will allow you to remove nearly all of the "confusing stuff like IRC" from the capture.

Additionally it's very useful to know the filter syntax for quick reference in the future.

Answer 5

Specifically for a web browser / web page something like the Firebug plug-in for Firefox may give you some of the information you are looking for: http://getfirebug.com/net.html

For more general applications, you may need to use netstat to identify the port(s) used by the application and then Wireshark/tshark/dtrace with a filter to capture just that traffic. Not the one line answer you were looking for though...

Answer 6

One idea, try VMWare

-setup a vm
-configure that vm to use a particular interface
-sniff on that interface from the host (its like a man in the middle attack)

If you isolate what network applications are running on that vm you might have your answer

A more ideal solution, I suppose, is to do what VMWare does in terms of how it specifies how it chooses an interface to talk over. I think its magic comes from the kernel modules it uses, in this case, probably vmnet kernel module.

To my knowledge applications are not aware for what interface they talk over and I believe this is by design; they shouldn't have to worry about such things.

Furthermore,
Perhaps a program already exists, I don't know. But if one was written you could call it nettrace (for example) and Usage could be like

nettrace program interface

then sniff the interface it uses and add routes (maybe it does the automatically) to your real interface

Answer 7

Assuming that you are the only person on the box attempting to connect to google at the time, I'd think something like this should do the trick:

tcpdump -w <outfile> -i <interface> tcp dst host www.google.com and dst port 80

If you are not the only connection attempting to connect to google on the box, then if you can identify the IP/port you are connecting from you can also specify the src port/src ip.

Identifying the src port may be a problem unless you can specify it on whatever client you use. I'm not sure if you can with wget.

I strongly suspect that you can specify both src and dst ports with netcat so if it was really google you were interested in, you could do your GET (manually) through netcat.

Of course the man page will give you specifics

Answer 8

The tcpdump man page and many web sites give in-depth examples of filters, and there are even a few online repositories of tcpdump filter expressions. It should be able to do almost anything you can dream of, assuming that you know something about the network traffic (source, destination, ports, protocols, etc.) beyond just what program is generating it.

If you're working on a server or headless box, you can always have tcpdump write a dump file and then open it in Wireshark on your workstation and get advanced filtering and a graphical interface.

Answer 9

Maybe this script will do what you want with appropriate modifications to the tshark command:

#!/bin/bash

# Start tshark in the background before we run the commsnd to be sniffed.
# Add more options to tshark, as appropriate to your command....
setsid tshark  -w dump -i eth0 tcp port 8080 >/dev/null 2>&1  &

sleep 2

wget www.google.com

# tshark keeps running if you don't kill it. 
# This kills all other tsharks that may be running.
pkill -9 tshark

Read the dump file later:

tshark -r dump

Answer 10

Dtrace should allow this, although I don't know whether it's quite made it into Linux yet.