Tracedump

The tracedump program

Tracedump is a single application IP packet sniffer that captures all TCP and UDP packets of a single Linux process. It consists of the following elements:

ptrace monitor - tracks bind(), connect() and sendto() syscalls and extracts local port numbers that the traced application uses
pcap sniffer - using information from the previous module, it captures IP packets on an AF_PACKET socket (with an appropriate BPF filter attached)
garbage collector - periodically reads /proc/net/{tcp,udp} files in order to detect the sockets that the application no longer uses

As the output, tracedump generates a PCAP file with SLL-encapsulated IP packets - readable by eg. Wireshark. This file can be later used for detailed analysis of the networking operations made by the application. For instance, it might be useful for IP traffic classification systems.

More details - read the manual and the paper on tracedump [PDF]

Download

Source code on GitHub

https://github.com/iitis/tracedump

Version 0.5, released 6 Feb 2012

tracedump-0.5.tar.gz (51KB)

SHA1: 05c2b693784ffdee1025c412e23e690f26c41b6c

Notes

To compile and run tracedump, you will need libpjf, libpcre, and libpthread.
~~There are also some stability issues that hopefully will be solved.~~

UPDATE: some of stability issues fixed by the latest commit. Be sure to grab the latest sources.

Tracedump currently runs on 32-bit Linux hosts only.

More information

Citing tracedump

Please cite the following work:

Foremski P., "Tracedump: A Novel Single Application IP Packet Sniffer", Theoretical and Applied Informatics, Vol. 24 No. 1/2012, Gliwice 2012 [PDF]

MuTriCs: Multilevel Traffic Classification

The project

Project results

References

Tracedump

The tracedump program

Download

More information

Citing tracedump