Is there a way to keep an account of which processes generate how much network traffic?

Mon May 30 15:09:56 UTC 2016

On 30/05/2016 5:07 PM, Ben Woods wrote:
> On Monday, 30 May 2016, Yuri <yuri at rawbw.com
> <javascript:_e(%7B%7D,'cvml','yuri at rawbw.com');>> wrote:
>
>> There is vnstat that does this by interface.
>>
>> But is there a way to do this by the application? This is because nearly
>> every packet that is sent through the system is sent on behalf of some
>> process running on the system.
>>
>> It would be nice to be able to see which applications (in general sense)
>> generate most traffic.
>>
>> I am fully aware that the link between pid and an "application" is vague
>> because some processes are run through some cryptic command lines. I am
>> just interested if anything exists in this area at all.
>>
>>
>> Yuri
>>
> Hi Yuri,
>
> There is an application called nethogs which does this on Linux, but the
> website says it makes heavy use of Linuxisms so won't work on BSD. I had a
> quick look at the code and couldn't immediately recognise the Linuxisms in
> question, but haven't done a thorough look.
>
> On FreeBSD, I tend to filter traffic by src and destination ip/port to
> determine how much traffic an application is using.
>
> Easiest solution I can think of: Use net-mgmt/darkstat.
> https://unix4lyfe.org/darkstat/
>
> Slightly more complicated solution, but with potentially more power for
> filtering the data: Netflow/NfDump/NfSen
> https://forums.freebsd.org/threads/49724/

at $JOB we had to do this for outgoing sessions of one particular app.
The answer was to make that app run as a special group and use teh 
'gid' match for the outgoing SYN packets from that process to run a 
keep-state rule to make all packets from that session go through a 
particular counting rule..

it was something like:
ipfw add 10 skipto 15 tcp from any to any not layer 2 setup gid 
${SPECIAL_GID} out xmit ${EXTERNAL} keep-state
ipfw add 11 skipto 20 ip from any to any
ipfw add 15 count ip from any to any in
ipfw add 16 count ip from any to any out
ipfw add 20 <whatever comes next>

since keep-state as an implicit check-state before evaluation, all 
session packets from sessions initiate by that process.

the not-layer2 was needed in our case to stop a kernel panic,  we had 
bridging ipfw as well and it caused problems.

I have considered adding a feature where sockets opened by a partuclar 
process would generate packets with a particular tag
which could be detected in the firewall
it would be a bit like using the 'setfib' command.. the property would 
be inherrited.

so setsockflag -4 ssh foo.com would make all ssh's packet be marked 
with a tag of 4.
there is already a rule in ipfw to detect these tags.
I did consider using setfib and setting up a separate fib for that app 
to use.  Fib associations can also be detected in the firewall.

>
> Good luck!
>
> Regards,
> Ben
>
>