PaulDotCom mailing list archives
Re: PCAP file "per-running-process"
From: Sandro Gauci <sandro () enablesecurity com>
Date: Tue, 12 Mar 2013 17:22:24 +0000
On OSX, Little Snitch (commercial desktop firewall) can dump pcaps for selected processes. Only tried it once myself (and I'm not an active little snitch user) but it seems pretty cool and similar to what you're asking for: http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/ Sandro Gauci Penetration tester and security researcher Email: sandro () enablesecurity com Web: http://enablesecurity.com/ PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C On Tue, Mar 12, 2013 at 1:28 PM, Jim Halfpenny <jim.halfpenny () gmail com>wrote:
Hi, Slightly off topic but a useful feature of iptables on Linux is the ability to filter traffic by user. The link below gives an example of how to block traffic for a particular user. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html Another great option is --tee which can copy traffic based on whatever rules you apply. http://www.bjou.de/blog/2008/05/howto-copyteeclone-network-traffic-using-iptables/ So if you wanted to record on a per-user basis on Linux (useful for service/daemon users) you could user ipt_user and tee functions to mirror that traffic and tcpdump it out there or just use ipt_user to log flows. Not entirely relevant but I hope it's useful. Regards, Jim On 12 March 2013 11:54, Hans Kokx <skipmeister123 () gmail com> wrote:If you add the p parameter to netstat it gives you the process idassociated with the connection. In Linux, yeah. Mac doesn't support -p though. :( -- Hans Kokx On Tuesday, March 12, 2013 at 3:32 AM, Robin Wood wrote: On Mar 12, 2013 4:20 AM, "Hans Kokx" <skipmeister123 () gmail com> wrote:This sounded like an interesting challenge, so I whipped somethingtogether that seems to work. Maybe it's what you're looking for, or maybe not.So, the idea I came up with is relatively simple: each process is goingto open an ephemeral port to connect to the known port of the service. Let's take, for example, a simple SOCKS5 proxy I've tossed together over SSH:nohup ssh -D 8000 -C -N me () myhost com >/dev/null 2>&1 & I typically use this everywhere that's not at home, and push ALL mytraffic through it. Hey, security.Anywho, on my mac, I was able to find the ephemeral port that it wasusing:$ netstat -ntl|grep 192.168.1.5|grep 22 tcp4 0 0 192.168.1.156.61697 192.168.1.5.22ESTABLISHEDNow we've got an ephemeral port to work with. Some clever awk- andsed- foo and you can grab JUST that port.Capturing the traffic is simple enough…. $ tcpdump src port 61697 So, we've got the traffic for this individual socket, but who does itbelong to?$ sudo lsof -i 4tcp:61697 Password: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ssh 17878 hkokx 3u IPv4 0x225a0a58298b9315 0t0 TCP192.168.1.156:61697->myhost.com:ssh (ESTABLISHED)There's your pid and process name.If you add the p parameter to netstat it gives you the process id associated with the connection. RobinThis was fun. Thanks for the challenge. :) -- Hans Kokx On Tuesday, March 12, 2013 at 12:03 AM, Sherif El-Deeb wrote:I have been trying to figure out a way to "capture/filter" network traffic per process, not per host/interface in a windows environment "even though I'd be curious to know how that could be done in *n?x/OS X" . What I want to achieve is create a PCAP file for each process id that was executed and communicated over the network. help, please. Thanks and regards, Sherif. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" allison nixon (Mar 12)
- Re: PCAP file "per-running-process" Carlos Perez (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 11)
- Re: PCAP file "per-running-process" Robin Wood (Mar 12)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 12)
- Re: PCAP file "per-running-process" Jim Halfpenny (Mar 12)
- Re: PCAP file "per-running-process" Sandro Gauci (Mar 12)
- Re: PCAP file "per-running-process" Sherif El-Deeb (Mar 13)
- Re: PCAP file "per-running-process" allison nixon (Mar 13)
- Re: PCAP file "per-running-process" Frank McClain (Mar 13)
- Re: PCAP file "per-running-process" Hans Kokx (Mar 11)