tracedump - a single program sniffer
This program captures all TCP and UDP packets of a single program. It consists of three elements:
- ptrace monitor - tracks bind(), connect() and sendto() syscalls and extracts local port numbers that the traced application uses
- pcap sniffer - using information from 1. it listens on an AF_PACKET/SOCK_DGRAM socket, with an appropriate BPF filter attached
- garbage collector - instead of monitoring for close() syscalls, this thread reads /proc/net/{udp,tcp} files in order to detect the sockets that the application no longer uses
As the output, it generates a PCAP file with SLL-encapsulated IP packets - readable by eg. Wireshark. It can be later used for detailed analysis of the networking operations made by a particular application. For instance it might be useful for automatic systems of IP traffic classification.
More information: http://mutrics.iitis.pl/tracedump
Please cite tracedump using the following publication:
Foremski P., "Tracedump: A Novel Single Application IP Packet Sniffer", Theoretical and Applied Informatics, Vol. 24 No. 1/2012, Gliwice 2012
- sometimes the traced process segfaults
- eg. Firefox started from tracedump
- eg. Chrome on restoring multiple tabs
- maybe more work on better ptrace transparency is required - especially on code injection?
- cant start chromium-browser within tracedump, but attaching works (to appropriate pid)
- IP packets past the first fragment will not be captured
- there is a low probability of loosing TCP packets if the time distance between a particular bind() system call and a connect() or listen() call is greater than 60 seconds
- maximum number of monitored ports is limited to less than 300 ports, due to limits on the BPF filter attached to the sniffing socket