Filter by Process Name

Case

• Restrict captures to a specific executable, echoing the safeguards enforced in test_pname_filter.sh.
• Use this when multiple flows are active but you only care about a certain binary, such as curl.
• Monitor network activity of a specific application across multiple instances or deployments.
• Identify if a particular service or daemon is making unexpected network connections.
• Debug network-related issues for a known application without needing its PID.

Command

sudo ptcpdump -i any -c 6 -v --pname curl -f

Kick off the capture, then run curl -m 10 1.1.1.1. ptcpdump prints only the packets generated by curl, tagging SYN and ACK packets while omitting unrelated traffic. The resulting pcapng keeps the filtered subset for later review.

Output Example

15:05:13.000236 ens33 Out IP (tos 0x0, ttl 64, id 37131, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.15.46712 > 1.1.1.1.80: Flags [S], cksum 0xe3f, seq 723251949, win 64240, options [mss 1460,sackOK,TS val 2313940516 ecr 0,nop,wscale 7], length 0
    Process (pid 254600, cmd /usr/bin/curl, args curl -m 10 1.1.1.1)
    User (uid 1000)
    ParentProc (pid 217538, cmd /usr/bin/bash, args /bin/bash -i)
15:05:13.167214 ens33 In IP (tos 0x0, ttl 128, id 12503, offset 0, flags [none], proto TCP (6), length 44)
    1.1.1.1.80 > 10.0.2.15.46712: Flags [S.], cksum 0xd44c, seq 1738571349, ack 723251950, win 64240, options [mss 1460], length 0
    Process (pid 254600, cmd /usr/bin/curl, args curl -m 10 1.1.1.1)
    User (uid 1000)
    ParentProc (pid 217538, cmd /usr/bin/bash, args /bin/bash -i)