Saturday 16 July 2016

Getting a network trace from a single application

I recently wanted a way to get a network packet trace from a specific application. My googling showed me an old askubuntu thread that solved this by using Linux network namespaces.

You create a new network namespace, that will be isolated from your regular network, you use a virtual network interface and iptables to make the traffic from it reach your regular network. Then you start an application and wireshark in that namespace and then you have a trace of that application.

I took that idea and made it into a small program, hosted on github, nsntrace.

> nsntrace
usage: nsntrace [-o file] [-d device] [-u username] PROG [ARGS]
Perform network trace of a single process by using network namespaces.

-o file     send trace output to file (default nsntrace.pcap)
-d device   the network device to trace
-u username run PROG as username 

It does pretty much the same as the askubuntu thread above describes but with just one step.

> sudo nsntrace -d eth1 wget www.google.com
Starting network trace of 'wget' on interface eth1.
Your IP address in this trace is 172.16.42.255.
Use ctrl-c to end at any time.

--2016-07-15 12:12:17--  http://www.google.com/
Location: http://www.google.se/?gfe_rd=cr&ei=AbeIV5zZHcaq8wfTlrjgCA [following]
--2016-07-15 12:12:17--  http://www.google.se/?gfe_rd=cr&ei=AbeIV5zZHcaq8wfTlrjgCA
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                         [ <=>                                                                                                   ]  10.72K  --.-KB/s   in 0.001s 

2016-07-15 12:12:17 (15.3 MB/s) - ‘index.html’ saved [10980]

Finished capturing 42 packets.

> tshark -r nsntrace.pcap -Y 'http.response or http.request'
16   0.998839 172.16.42.255 -> 195.249.146.104    HTTP 229 GET http://www.google.com/ HTTP/1.1
20   1.010671    195.249.146.104 -> 172.16.42.255 HTTP 324 HTTP/1.1 302 Moved Temporarily  (text/html)
22   1.010898 172.16.42.255 -> 195.249.146.104    HTTP 263 GET http://www.google.se/?gfe_rd=cr&ei=AbeIV5zZHcaq8wfTlrjgCA HTTP/1.1
31   1.051006    195.249.146.104 -> 172.16.42.255 HTTP 71 HTTP/1.1 200 OK  (text/html)

If it is something you might have use for or find interesting, please check it out, and help out with patches. It turns out I have a lot to learn about networking and networking code.

All the best!

4 comments:

  1. Have you considered, create a library? Could be used by GNOME control center Network to detect which application is eating your data, a la Android. Useful when used an USB phone connection.

    ReplyDelete
  2. Have you considered, create a library? Could be used by GNOME control center Network to detect which application is eating your data, a la Android. Useful when used an USB phone connection.

    ReplyDelete
    Replies
    1. Hi!

      I do not think the approach taken here is really suitable for a library. It is pretty invasive. We create a namespace and manipulate the network inside, and then launch and application inside. It is not, as far as I know, possible to move application to different network namespaces on the fly.

      For what you describe above we would need a situation where all apps are started in a namespace of their own. It would take a more systematic approach which is possible when you control the system more directly as with Android.

      Maybe in a flatpak'd future?

      Delete
  3. Hi! It would be nice to have an ability to redirect traffic to (for example) socks5 on a per-process level also. Now I use tsocks (http://tsocks.sourceforge.net/) to achive this, it works, but it's clumsy - I need to create .conf file for each proxy I want to redirect traffic to.

    ReplyDelete