使用ptcpdump针对进程进行抓包

在tcpdump我们长期是针对host，port和协议这些来进行抓包。但是如果我们想过滤某个进程发出的数据进行抓包，那也许只能先全部抓，然后再用wireshark打开进行过滤分析。

不过现在有个ptcpdump工具，这个是直接可以针对进程和pid进行抓包。

https://github.com/mozillazg/ptcpdump

下面我就在rocky8上进行测试一下可以使用。

[timo@rocky8-1-test ~]$ sudo ./ptcpdump -i any --pname curl -w demo.pcapng
2024-07-16 09:48:06 WARN skip Docker Engine integration
2024-07-16 09:48:11 WARN skip containerd integration
2024-07-16 09:48:11 WARN skip kubernetes integration
2024-07-16 09:48:11 WARN skip attach cgroup due to get cgroup v2 root dir failed: cgroupv2 is not mounted
2024-07-16 09:48:11 WARN current system doest not enable netfilter based NAT feature, skip attach kprobe/nf_nat_packet
2024-07-16 09:48:11 WARN current system doest not enable netfilter based NAT feature, skip attach kprobe/nf_nat_manip_pkt
2024-07-16 09:48:11 WARN ptcpdump: verbose output suppressed, use -v[v]... for verbose output
2024-07-16 09:48:11 WARN capturing on any, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel

开启这个之后我又开了一个窗口进行curl

[timo@rocky8-1-test ~]$ curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

用wireshark打开还行，确实是我curl的一个流程，把dns解析，tcp握手这些都给包含了。不过使用上应该对于kernel的版本是有要求的。 4.10 < kernel < 5.2 应该都可以正常使用的。其他的就不知道了。