Capture network traffic of a single application?

Question

I am looking for a method / hack / kernel module to capture network traffic of a PID and all it's forks / child processes.

I have a firefox applications that opens some web pages and starts to stream stuff with flash streaming, wmv, or any other streaming protocol as well as "simple" download of img, js and other "static" content.

I'm interested in capturing this traffic and ultimately isolation these streams.

Wireshark does not support capturing by a process id, but I assume this can be worked around (and this is the core of my question). Obviously setting up a full virtual machine and running just firefox with wireshark in it will work but I be much more satisfied with a lightweight-er solution, perhaps based on chroot? combined with iptables owner module.

So ideas or complete solutions would be greatly appreciated.

-- EDIT:

People are rightfully guessing the OS I'm working on: The question is mainly pointed towards a Linux OS, but should a workable solution be found on Windows / OpenSolaris / MacOSX or any other reasonably hacker accessible OS that answer would be accepted.

I'm not a developer, but have you looked at "Firebug". It's an Firefox add-on. — Vick Vega, Jan 12 '12 at 03:22
@VickVega: Yes, sadly firebug & httpfox can't analyze streams such as flash coming from external plugins. — Maxim Veksler, Jan 12 '12 at 12:44

score 2 · Answer 1 · answered Mar 01 '12 at 05:32

Take a look at the ULOG target for iptables, combined with the owner match module. It's not quite what you asked for, but if you create a user specifically for your testing and run only the application you're trying to watch as that user, you should be pretty close.

ULOGD, at least as far as I can tell, will write a file with raw packets. I haven't done it myself so I can't vouch for it but it looks like it will do what you want.

score 0 · Answer 2 · answered Jan 13 '12 at 16:48

Ideally, you could separate out the Firefox traffic by adding another IP address to your machine, and making Firefox use it when opening outbound connections.

This is possible, eg with OpenSSH:

ssh -b 192.0.2.64 [...]

But I couldn't find any command-line option or preferences entry for that in Firefox.

Instead, you could use a simple (local) HTTP proxy, like tinyproxy, again with the proxy using a unique IP address for its outbound traffic. tinyproxy does this with the Bind setting in tinyproxy.conf, eg:

Bind 192.0.2.64

Finally, you could investigate something a bit more lightweight than a full VM. You mentioned iptables so I assume you're using a Linux host; there are a few solutions like LXC and OpenVZ that might do the trick, if HTTP proxying isn't an option for you.

score 0 · Answer 3 · answered Jan 15 '12 at 01:11

You could set up a http proxy and set Firefox to go through it, then analyze that. If you run the proxy through a different machine (even a VM) that's not doing anything, you could throw Wireshark on that... I would think that that would sufficiently isolate the traffic.

score -1 · Answer 4 · answered Jan 13 '12 at 17:01

-1

Install HTTPWatch on your desktop and click record before you start browsing.

answered Jan 13 '12 at 17:01

bintut

304
1
5

Capture network traffic of a single application?

4 Answers4