Detective Work

The legacy Tcpdump is a tool no admin would want to do without, but it is a bit long in the tooth. The eBPF-based Ptcpdump aims to counter this worry. The rewrite offers extensive CLI compatibility and can even display process information.

Tcpdump [1] is a popular tool for capturing network traffic. Most admins are aware that they can use Tcpdump to save a record of network traffic in the Pcap format [2], then analyze and visualize the traffic using a protocol analysis tool such as Wireshark. In-depth troubleshooting with Tcpdump is often the last resort when you have exhausted all other options and you still can't open a network connection (Figure 1).

On the downside, many users are annoyed by the fact that Tcpdump can't map network traffic to specific processes. In other words, Tcpdump cannot tell you which program the logged packets belong to. As a workaround, programs can sometimes be identified on the basis of IP addresses and their inand outbound ports.

The reason why Tcpdump can't assign network traffic to individual programs is because it first switches network interfaces into promiscuous mode in order to see all incoming packets. By doing this, it works around some of the security functions that the Linux kernel actually dictates before you can sniff network connections; however, at the network level, Linux itself does not offer a way to correlate programs and traffic. Also, Tcpdump does not offer the option to group and output the information on the system; you cannot simply tell the program to read packets from certain programs and ignore the rest.

When Tcpdump was created, the Linux kernel did not offer anywhere near the present level of functionality. Theoretically, it should be possible to modify and provide the required functions for process tracking, but no one has done this work thus far.