How to obtain the current traffic of a process in GNU Linux
/*************************************** ******************************
* Author: Samson
* Date: 11/19/2014
* Test platform:
* 3.small-24-generic
* GNU bash, 4.3.11 (1)-release
**************************************** ****************************/
The procedure is as follows:
(1) Use the packet capture Libpcap library technology to obtain the network traffic package, in this way, you can obtain the 5-tuples (Source Address, target address, source port, target port, and Protocol number) of each network communication package and the traffic volume of the current package, after obtaining the information, create a table. The packet size information of the same session in this table will accumulate the packet size as the session continues to interact.
(2) view the link value by traversing all links in the fd/directory of all processes under/proc/, and then traverse all connections that contain the beginning of socket, create a table with the process number and the inode Number of the corresponding process number and socket fd of the process. On the command line, enter the following command to view the current network connection of a process ):
# Get PID of firefox
V0id @ v0id :~ $ Ps aux | grep firefox
V0id 2143 7.8 21.0 1138824 433960? Sl 11: 19 44: 36/usr/lib/firefox
If the firefox process number is 2143, view the file descriptor under fd of the process and use the following command to view the file descriptor information about socket in the directory of the process, the result after readlink contains the fd (file descriptor) used for network connection starting with socket, followed by the inode Number of fd after socket:. Run the following command:
V0id @ v0id :~ $ Ll/proc/2143/fd/| grep socket
Lrwx ------ 1 v0id v0id 64 November 19 11:19 10-> socket: [27273]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 101-> socket: [3726782]
Lrwx ------ 1 v0id v0id 64 November 19 11:19-> socket: [27336]
Lrwx ------ 1 v0id v0id 64 November 19 11:19-> socket: [27337]
Lrwx ------ 1 v0id v0id 64 November 19 11:19 21-> socket: [28264]
Lrwx ------ 1 v0id v0id 64 November 19 20:48-> socket: [29375]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 31-> socket: [29692]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 32-> socket: [30810]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 33-> socket: [30812]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 36-> socket: [31803]
Lrwx ------ 1 v0id v0id 64 November 19 11:19 4-> socket: [26607]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 40-> socket: [31071]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 41-> socket: [31073]
Lrwx ------ 1 v0id v0id 64 November 19 20:52-> socket: [5245647]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 69-> socket: [5244897]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 71-> socket: [5248187]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 72-> socket: [5246226]
Lrwx ------ 1 v0id v0id 64 November 19 20:52-> socket: [5246227]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 76-> socket: [5246228]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 77-> socket: [5248188]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 78-> socket: [5248189]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 79-> socket: [5246239]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 80-> socket: [3726781]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 81-> socket: [5248214]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 82-> socket: [5248217]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 83-> socket: [5246330]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 84-> socket: [5248215]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 85-> socket: [5246331]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 86-> socket: [5248216]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 87-> socket: [5248218]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 88-> socket: [5249212]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 89-> socket: [37239]
Lrwx ------ 1 v0id v0id 64 November 19 11:19 9-> socket: [27820]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 90-> socket: [5248222]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 92-> socket: [5248223]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 93-> socket: [5249279]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 94-> socket: [37240]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 96-> socket: [38308]
Lrwx ------ 1 v0id v0id 64 November 19 20:48 97-> socket: [37345]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 98-> socket: [5249281]
Lrwx ------ 1 v0id v0id 64 November 19 20:52 99-> socket: [5249282]
(3) read the current communication connection in the network connection status file/proc/net/tcp in real time, after obtaining the connected source address, target address, source product, and target port, you can find the corresponding network channel information that can be viewed in the packet capture table, by comparing the packet capture information with the 5-tuples, you can find the network traffic corresponding to each program in the table created in step (1, then, compare the inode corresponding to each connection with the table obtained by traversing the process in step (2) to find the corresponding process connected; here we can calculate the traffic of each process. By accumulating the network traffic of each process, we can get the total network traffic.
V0id @ v0id :~ $ Ll/proc/2143/fd/| grep socket; cat/proc/net/tcp
Sl local_address rem_address st tx_queue rx_queue tr tm-> when retrnsmt uid timeout inode
0: 0101007F: 0035 then 0A then 00000000 0 0 12396 1 00000000 100 0 10 0
1: 0100007F: 0277 then 0A then 0 0 00000000 1 11404 00000000 0 0 10 0
2: 9707A8C0: 8BB9 0C7CB5DC: 0050 02 00000001:00000000 01: 00000166 00000002 1000 0 5243074 2 00000000 0 2 5
3: 9707A8C0: 86F7 DF08A8C0: 0050 01 00000000 1000 0 5245647 1 00000000 21 4 8 10-1
4: 9707A8C0: BFC9 E99D4F75: 0050 01 00000000 1000 0 5248217 1 00000000 20 4 24 10-1
5: 9707A8C0: 85FC AE2ED0CB: 0050 01 00000000 1000 0 5248218 2 00000000 20 4 24 10-1
6: 9707A8C0: 9052 C99D4F75: 0050 01 00000000 1000 0 5246239 2 00000000 20 4 20 10-1
7: 9707A8C0: 9281 925C4F75: 0050 01 00000000 1000 0 5246331 1 00000000 20 4 8 10-1
8: 9707A8C0: DFB3 DD5D4F75: 0050 01 00000000 1000 0 5249212 2 00000000 21 4 24 10-1
9: 9707A8C0: DFB5 DD5D4F75: 0050 01 00000000 1000 0 5248223 2 00000000 20 4 24 10-1
10: 9707A8C0: A614 E19D4F75: 0050 01 00000000 1000 0 5246330 1 00000000 20 4 24 10-1
11: 9707A8C0: 9051 C99D4F75: 0050 01 00000000 1000 0 5248189 2 00000000 20 4 1 6-1
12: 9707A8C0: 904B C99D4F75: 0050 01 00000000 1000 0 5244897 1 00000000 20 4 8 10-1
13: 9707A8C0: DFA5 DD5D4F75: 0050 01 00000000 1000 0 5248187 2 00000000 20 4 8 10-1
14: 9707A8C0: A613 E19D4F75: 0050 01 00000000 1000 0 5248214 1 00000000 20 4 24 10-1
15: 9707A8C0: 905E C99D4F75: 0050 01 00000000 1000 0 5249281 3 00000000 5 3 10-1
16: 9707A8C0: EAFE DF08A8C0: 0050 08 00000000 1000 0 2102209 1 00000000 20 4 6 50 16
17: 9707A8C0: DFB0 DD5D4F75: 0050 01 00000000 1000 0 5248216 2 00000000 20 4 24 10-1
18: 9707A8C0: 904E C99D4F75: 0050 01 00000000 1000 0 5246227 2 00000000 20 4 20 10-1
19: 9707A8C0: DFB6 DD5D4F75: 0050 01 00000000 1000 0 5249279 2 00000000 21 0 0 10-1
20: 9707A8C0: 905F C99D4F75: 0050 01 00000000 1000 0 5249282 2 00000000 20 4 9 10-1
21: 9707A8C0: C8CF 8805E29F: 0050 08 00000000 1000 0 273820 1 00000000 20 4 6 43 16
22: 9707A8C0: 975D 525D58DE: 0050 01 00000000 1000 0 5246226 1 00000000 21 4 24 10-1
23: 9707A8C0: 9055 C99D4F75: 0050 01 00000000 1000 0 5248215 1 00000000 20 4 20 10-1
24: 9707A8C0: DFB4 DD5D4F75: 0050 01 00000000 1000 0 5248222 2 00000000 20 4 24 10-1
25: 9707A8C0: DFA9 DD5D4F75: 0050 01 00000000 1000 0 5248188 2 00000000 21 4 8 10-1
26: 9707A8C0: 904F C99D4F75: 0050 01 00000000 1000 0 5246228 2 00000000 20 4 11 10-1
You can find the same value of the inode number as the socket: [inode] listed in (2) in the sent content, for example, the connection with inode 5248222, similarly, this connection belongs to firefox.
This article permanently updates the link address: