Tracedump

The tracedump program

Tracedump is a single application IP packet sniffer that captures all TCP and UDP packets of a single Linux process. It consists of the following elements:
  1. ptrace monitor - tracks bind(), connect() and sendto() syscalls and extracts local port numbers that the traced application uses
  2. pcap sniffer - using information from the previous module, it captures IP packets on an AF_PACKET socket (with an appropriate BPF filter attached)
  3. garbage collector - periodically reads /proc/net/{tcp,udp} files in order to detect the sockets that the application no longer uses
As the output, tracedump generates a PCAP file with SLL-encapsulated IP packets - readable by eg. Wireshark. This file can be later used for detailed analysis of the networking operations made by the application. For instance, it might be useful for IP traffic classification systems.

More details - read the manual and the paper on tracedump [PDF]

Download

Notes
  • To compile and run tracedump, you will need libpjf, libpcre, and libpthread.
  • There are also some stability issues that hopefully will be solved.
    • UPDATE: some of stability issues fixed by the latest commit. Be sure to grab the latest sources.
  • Tracedump currently runs on 32-bit Linux hosts only.

More information

Please cite the following work:
  • Foremski P., "Tracedump: A Novel Single Application IP Packet Sniffer", Theoretical and Applied Informatics, Vol. 24 No. 1/2012, Gliwice 2012 [PDF]