traffic from different users/PID and same program is merged

Question

traffic from different users/PID and same program is merged

nick2k3 opened this issue 4 years ago · 4 comments

Hello,
I am trying to use nethogs on a debian system which runs smbd.
smbd is configured so that different users, let's say A and B, are able to connect to different shares.

if I run
sudo nethogs

I can see the data exchanged by the user A:

NetHogs version 0.8.5-2

    PID USER     PROGRAM                                                                            DEV        SENT      RECEIVED       
  13108 A     /usr/sbin/smbd          eth0     1711.393      46.971 KB/sec

however if the user B tries to access another share, and thus generate traffic, all its traffic is masqueraded as user A, also the PID of the new connection is different but the 'old' one used by A's connection is shown.

If i re-run nethogs I am able to correcly see the new connection with user B and the correct PID.

Is this behavior intended?

Answer 1 · 2021-06-30T13:50:40.000Z

Is this behavior intended?

No, definitely not.

Nethogs works by taking the source and destination ip:port pairs, look up the inode for them in /proc/net/tcp, and then scan the processes in /proc to associate that inode with a process.

Because that is rather slow, that relationship is cached. It seems like the traffic of user B is matching the cached connection for user A - though that would mean the complete ip:port pair (so both source and destination IP's and port numbers) were identical.

Could you look at the connections with netstat and confirm that that is the case? Then we can take it from there :)

Answer 2 · 2021-12-02T03:32:22.000Z

Hi @raboof

I pretty sure I have same problem
When I use nethogs monitor two ssh session, that's login with two different account and have diff pid and source IP, port
Only can see one

like @nick2k3 say, however if the user B tries to access another share, and thus generate traffic, all its traffic is masqueraded as user A, also the PID of the new connection is different but the 'old' one used by A's connection is shown.

Answer 3 · 2021-12-02T08:27:57.000Z

diff pid and source IP, port

Interesting!

If I recall correctly nethogs does differentiate between 'incoming' and 'outgoing' connections, and for 'incoming' connections perhaps we cache regardless of the 'source' (i.e., remote) port. Perhaps for your scenario it got it backwards? I'd appreciate anyone digging into this further.

Answer 4 · 2021-12-02T09:49:24.000Z

I'd appreciate anyone digging into this further.

I saw another people blog use version 0.8.0 can see two ssh session
I dont know why I can use it in my ubuntu 20 desktop