Filter by Process ID
Case
- Trace packets tied to particular PIDs, mirroring the safeguards in
test_pid_filter.sh. - Useful when multiple instances of the same program coexist and you only want the traffic from specific processes.
- Isolate network traffic generated by a specific process when multiple instances of the same application are running.
- Debug network communication for a particular process without being overwhelmed by unrelated system traffic.
- Monitor the network activity of a suspicious process identified by its PID.
Command
sudo ptcpdump -i any --pid $(pgrep -n python3) -f
Start the capture, take note of the PID you target (replace the subshell with your own list of PIDs if needed),
and issue import http.client; http.client.HTTPConnection('1.1.1.1', 80).request("GET", '/').
ptcpdump emits the SYN/ACK pair for
that exact PID and writes them into the pcap for post-analysis alongside the command
path metadata.
Output Example
15:02:57.041920 ens33 python3.12.254006 Out IP 10.0.2.15.46112 > 1.1.1.1.80: Flags [S], seq 1607118109, win 64240, options [mss 1460,sackOK,TS val 2313804558 ecr 0,nop,wscale 7], length 0, ParentProc [bash.241382]
15:02:57.250542 ens33 python3.12.254006 In IP 1.1.1.1.80 > 10.0.2.15.46112: Flags [S.], seq 1199640697, ack 1607118110, win 64240, options [mss 1460], length 0, ParentProc [bash.241382]
15:02:57.250733 ens33 python3.12.254006 Out IP 10.0.2.15.46112 > 1.1.1.1.80: Flags [.], seq 1607118110, ack 1199640698, win 64240, length 0, ParentProc [bash.241382]
15:02:57.250945 ens33 python3.12.254006 Out IP 10.0.2.15.46112 > 1.1.1.1.80: Flags [P.], seq 1607118110:1607118170, ack 1199640698, win 64240, length 60: HTTP: GET / HTTP/1.1, ParentProc [bash.241382]