Networking packet sniffer for Linux that captures the application names?



I tried Wireshark. It shows the source and destination IP address, port number, and packet contents, but nothing about which application is using the packets.

Apparently tcpdump is similar; network data but no info on which application.

Wireshark was showing much more activity than I expected (including destination IPs outside my home network) when the browser, email and other known internet-related programs were closed and other computers are off. But without knowing which program is sending or receiving, it's hard to do anything about it.

I'm using Ubuntu 11.04.

I'm not looking for a general network sniffer; I only want to see what is going in and out of the same machine on which the sniffer is running.

Is there anything like that on Linux? Even if it costs money? Or is it that I don't know how or where to look for the application name in Wireshark?

Mike Rowave

Posted 2011-06-22T01:06:06.230

Reputation: 1 835

@Breakthrough, Welcome to the real world :-) – nik – 2011-06-22T05:43:10.543



I had looked at this some time back and found nothing.
There is a crude script technique that you can do based on netstat.

It relies on the detail (like you have observed) that there is no need to sniff all the traffic -- what you want to look at is the connection table and associated program id.

netstat -npt

This is how the options work,

-n -- shows plain network addresses without resolving names (makes things faster)
-p -- gives the PID for the associated program
-t -- restricts to looking at TCP connections

This works quite fast and can be looped through a script to keep logging the data (plugged to cron?).
You could filter that data to derive a database of

{program name, program id, IP 5-tuple, time-window}

The downside is, since there is no UDP connection entry (of the likes TCP maintains), it will really take sniffing for UDP applications.

I'd really like to know if there is an existing tool doing this :-) Its a nice project.
I think I wrote a python script on these lines sometime back.


Posted 2011-06-22T01:06:06.230

Reputation: 50 788

Thanks, at least this is a start. I find it really strange that there are dozens of Firewalls, loggers, and sniffers on Windows that will show and/or block network connections for specific applications, but practically nothing on Linux. Apparently there is some fundamental anomaly in the Unix/Linux architecture that makes it prohibitively difficult to identify the application associated with each connection? I'm hoping I don't have to go back to Windows in order to have sufficient knowledge and control over the programs that use the Internet. – Mike Rowave – 2011-06-22T13:37:00.517

@Mike, Actually, that is not the case; commands like netstat and lsof are quite in line with the Unix philosophy. Sniffing and Firewalling requires intrusive actions. Looking up the connection table for the process id is relatively passive. – nik – 2011-06-22T16:30:17.917


I think most sniffers don't make the effort to try to determine whether the current machine they're running on is the endpoint for any of the traffic flows they are seeing (as opposed to, say, seeing other machines' frames via a hub or a mirror port on a switch, or on a wireless channel, or seeing frames that the current machine is just bridging/routing/NAT-gatewaying). So most sniffers don't bother to see if process or application name can be found, because that can only be found if the local machine is the endpoint of the traffic.

This isn't as convenient as having a sniffer do it for you, but here's a workaround anyway:
Since you know which addresses belong to your local machine, once you find the local port number, you can look up the name of the process using that port number using lsof like this:

sudo lsof +c15 -i :$PORT

...where "$PORT" is the port number you care about.


Posted 2011-06-22T01:06:06.230

Reputation: 84 656

1I like sudo lsof -lMnP -i4 +c15 -- that can be looped to collect data too. – nik – 2011-06-22T05:28:52.660