Hacker News new | ask | show | jobs
by totetsu 1170 days ago
Is 'tracing network packets in the kernel' also what tcpdump/snoop/nettl dp?
2 comments
unmole 1170 days ago
No. Tcpdump and others are packet sniffers. They clone network packets so the contents can be examined.

pwru on the other hand is used to trace what the kernel is doing with your packets.

link
aeonik 1170 days ago
I can speak for tcpdump and the answer is no. It only looks at the network interface. Something I often want to do is catch which process sent a few UDP packets. Netstat and ss won't catch it because it's too short of a time frame, and tcpdump doesn't contain any information about the kernel.

I've been using opensnitch which uses eBPF rules to track this information lately, but I'm looking for something more flexible.

link
elesiuta 1170 days ago
> Something I often want to do is catch which process sent a few UDP packets.

Catching short lived processes and packets is one of the things I specialized picosnitch [1] for, which focuses strictly on monitoring.

[1] https://github.com/elesiuta/picosnitch

link
dhaavi 1170 days ago
I don't know what you mean by "flexible", but you could check if what we are building - Portmaster Privacy Suite - goes in that direction: https://safing.io/
link