tags:

views:

11

answers:

0

Normally I use tcpflow to debug network i/o, but it doesn't seem to have any way to filter by process - so I need to manually figure out which files come from the program being debugged, and which are completely unrelated traffic. Usually both are mostly http so port filtering is out of the question, and filtering by remote hostname is only sometimes possible.

In theory it should work. Process ids can be associated with sockets, at least on Linux - /proc/net/tcp associates socket address pairs with inodes and fstating /proc/*/fd/* reveals all socket inodes by process (that's what netstat -p uses) - but it needs to be done in real time by traffic capturing program, otherwise this data is all gone - so I cannot just grep the right files later. (otoh I'm not sure if this is even possible on OSX)

Or another possibility would be to use some sort of low-level library injection like LD_PRELOAD when program starts instead of external monitor.

The alternative of finding every single network read and write in the program, and adding logging code there is just too awful to contemplate - especially since a lot of actual i/o can be buried deep inside third party libraries.

Any recommendations? Something cross-platform would be perfect, but if it works with either OSX or Linux it's good enough.