View Single Post
Old 11-06-2011, 09:58 AM  
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,293
Blog Entries: 54

Rep: Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855
Quote:
Originally Posted by entz View Post
dump all packets and list them according to the processes that either sent or received them.
No, packet capturing doesn't work at the process level. Sure it can be done but it'll take correlation though. Netfilter provides targets like ULOG / NFLOG and NFQUEUE to copy packets which userland apps can read and store. The benefit here is that Netfilter can classify traffic based on criteria (example: http://wiki.wireshark.org/CaptureSetup/NFLOG) that tshark / tcpdump can not which may make things less difficult. Your approach and what correlation you need (Auditd, Atop, strace, kprobes, inotify, whatever else you can think of) depends on what you're looking for. So please first elaborate and be as verbose and complete as possible.