/********************************************************************* * Author:samson * date:11/19/2014 * Test PL Atform: * 3.13.0-24-generic * GNU bash, 4.3.11 (1)-release * *********************************** ********************************/
The following steps are mainly divided into:
(1), through the use of Capture Libpcap library technology, network traffic packet access. This enables the five-tuple (source address, destination address, source port, destination port, protocol number) information for each network communication packet and the current packet traffic size. When this information is obtained, a table is created, and the packet size information for the same session in this table accumulates the size of the packet as the session continues to interact.
(2), through the/proc/under the Fd/folder of all the links to traverse to see the value of link. The traversal to all include the socket: the beginning of the connection, the process number and the corresponding process number traversed, the process corresponding to all the socket FD corresponding inode number to be built table. At the command line, you can enter the following command to view the current network connection status of a process, such as the following (in Firefox, for example):
#get PID of Firefox
[email protected]:~$ ps aux | grep Firefox
V0id 2143 7.8 21.0 1138824 433960? Sl 11:19 44:36/usr/lib/firefox/firefox
Get Firefox process number 2143, then view the file description descriptor under FD for this process. Using the command below, you can see the file descriptor information about the socket under the folder under this process, with the FD (file description descriptor) that is used for the network connection in the result of Readlink. Immediately after the socket: the inode number for FD, run the command such as the following:
[Email protected]:~$ ll/proc/2143/fd/| grep socket
LRWX------1 v0id v0id 64 November 11:19 socket:[27273]
LRWX------1 v0id v0id 64 November 20:48 101-socket:[3726782]
LRWX------1 v0id v0id 64 November 11:19 socket:[27336]
LRWX------1 v0id v0id 64 November 11:19 socket:[27337]
LRWX------1 v0id v0id 64 November 11:19 socket:[28264]
LRWX------1 v0id v0id 64 November 20:48 socket:[29375]
LRWX------1 v0id v0id 64 November 20:48 socket:[29692]
LRWX------1 v0id v0id 64 November 20:48 socket:[30810]
LRWX------1 v0id v0id 64 November 20:48 socket:[30812]
LRWX------1 v0id v0id 64 November 20:48 socket:[31803]
LRWX------1 v0id v0id 64 November 11:19 4 socket:[26607]
LRWX------1 v0id v0id 64 November 20:48, socket:[31071]
LRWX------1 v0id v0id 64 November 20:48 socket:[31073]
LRWX------1 v0id v0id 64 November 20:52 socket:[5245647]
LRWX------1 v0id v0id 64 November 20:52 socket:[5244897]
LRWX------1 v0id v0id 64 November 20:52 socket:[5248187]
LRWX------1 v0id v0id 64 November 20:52 socket:[5246226]
LRWX------1 v0id v0id 64 November 20:52 socket:[5246227]
LRWX------1 v0id v0id 64 November 20:52 socket:[5246228]
LRWX------1 v0id v0id 64 November 20:52 socket:[5248188]
LRWX------1 v0id v0id 64 November 20:52 socket:[5248189]
LRWX------1 v0id v0id 64 November 20:52, socket:[5246239]
LRWX------1 v0id v0id 64 November 20:48 socket:[3726781]
LRWX------1 v0id v0id 64 November 20:52 Bayi--socket:[5248214]
LRWX------1 v0id v0id 64 November 20:52-socket:[5248217]
LRWX------1 v0id v0id 64 November 20:52, socket:[5246330]
LRWX------1 v0id v0id 64 November 20:52 socket:[5248215]
LRWX------1 v0id v0id 64 November 20:52, socket:[5246331]
LRWX------1 v0id v0id 64 November 20:52 socket:[5248216]
LRWX------1 v0id v0id 64 November 20:52 socket:[5248218]
LRWX------1 v0id v0id 64 November 20:52 socket:[5249212]
LRWX------1 v0id v0id 64 November 20:48 socket:[37239]
LRWX------1 v0id v0id 64 November 11:19 9 socket:[27820]
LRWX------1 v0id v0id 64 November 20:52 socket:[5248222]
LRWX------1 v0id v0id 64 November 20:52, socket:[5248223]
LRWX------1 v0id v0id 64 November 20:52 socket:[5249279]
LRWX------1 v0id v0id 64 November 20:48 94-socket:[37240]
LRWX------1 v0id v0id 64 November 20:48, socket:[38308]
LRWX------1 v0id v0id 64 November 20:48 socket:[37345]
LRWX------1 v0id v0id 64 November 20:52 98-socket:[5249281]
LRWX------1 v0id v0id 64 November 20:52, socket:[5249282]
(3), through the network connection status file/proc/net/tcp Current communication connection in real-time read, by getting the source address of the connection, the destination address, the source goods, the target port can be found in the Packet capture table can be seen in each process connected to the network channel information, By comparing the five-tuple information obtained with the packet capture, you can find out the corresponding network traffic for each program in the table established in step (1). The corresponding inode is then compared to the table obtained by the traversal process in step (2). You can find the appropriate process for the connection; here's how to count the corresponding traffic for each process. Total network traffic can be obtained by accumulating the network traffic for each process.
[Email protected]:~$ ll/proc/2143/fd/| grep socket; Cat/proc/net/tcp
SL local_address rem_address St Tx_queue rx_queue tr tm->when retrnsmt uid Timeout inode
0:0101007f:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 12396 1 00000000 100 0 0 10 0
1:0100007f:0277 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 11404 1 00000000 100 0 0 10 0
2:9707A8C0:8BB9 0c7cb5dc:0050 02 00000001:00000000 01:00000166 00000002 1000 0 5243074 2 00000000 400 0 0 2 5
3:9707a8c0:86f7 df08a8c0:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5245647 1 00000000 21 4 8 10-1
4:9707A8C0:BFC9 e99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248217 1 00000000 20 4 24 10-1
5:9707A8C0:85FC ae2ed0cb:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248218 2 00000000 20 4 24 10-1
6:9707a8c0:9052 c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5246239 2 00000000 20 4 20 10-1
7:9707a8c0:9281 925c4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5246331 1 00000000 20 4 8 10-1
8:9707A8C0:DFB3 dd5d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5249212 2 00000000 21 4 24 10-1
9:9707A8C0:DFB5 dd5d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248223 2 00000000 20 4 24 10-1
10:9707a8c0:a614 e19d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5246330 1 00000000 20 4 24 10-1
11:9707a8c0:9051 c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248189 2 00000000 20 4 1 6-1
12:9707a8c0:904b c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5244897 1 00000000 20 4 8 10-1
13:9707a8c0:dfa5 dd5d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248187 2 00000000 20 4 8 10-1
14:9707a8c0:a613 e19d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248214 1 00000000 20 4 24 10-1
15:9707a8c0:905e c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5249281 3 00000000 20 5 3 10-1
16:9707a8c0:eafe df08a8c0:0050 08 00000000:00000001 00:00000000 00000000 1000 0 2102209 1 00000000 20 4 6 50 16
17:9707a8c0:dfb0 dd5d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248216 2 00000000 20 4 24 10-1
18:9707a8c0:904e c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5246227 2 00000000 20 4 20 10-1
19:9707a8c0:dfb6 dd5d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5249279 2 00000000 21 0 0 10-1
20:9707a8c0:905f c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5249282 2 00000000 20 4 9 10-1
21:9707A8C0:C8CF 8805e29f:0050 08 00000000:00000001 00:00000000 00000000 1000 0 273820 1 00000000 20 4 6 43 16
22:9707a8c0:975d 525d58de:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5246226 1 00000000 21 4 24 10-1
23:9707a8c0:9055 c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248215 1 00000000 20 4 20 10-1
24:9707A8C0:DFB4 dd5d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248222 2 00000000 20 4 24 10-1
25:9707A8C0:DFA9 dd5d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5248188 2 00000000 21 4 8 10-1
26:9707a8c0:904f c99d4f75:0050 01 00000000:00000000 00:00000000 00000000 1000 0 5246228 2 00000000 20 4 11 10-1
Can find the same value as the Inode number (2) in the contents of the Socket:[inode], such as the Inode5248222Connection, the same is to say that this connection is a part of Firefox.
How to get the current flow of a process in GNU Linux