Method A: Using strace
If the process is not started yet, you can start it as a new process and monitor it using the following
strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;
If the process is already started and you know its PID you can use the following
strace -f -e trace=network -s 10000 -p <PID>;
strace is a very helpful utility that can be used to trace system calls and signals.
strace to trace all child processes as they are created by the currently traced processes as a result of the
clone system calls.
-p PID -f will attach all threads of process
PID if it is multi-threaded, not only thread with id
-e trace=%network strace will trace all the network related system calls only if used alone.
-s strsize Specifies the maximum string size to print (the default is 32). Note that filenames are not considered strings and are always printed in full.
-p PID Attaches
strace to the process with the process ID
PID and starts tracing. The trace may be terminated at any time by a keyboard interrupt signal (
strace will respond by detaching itself from the traced process(es) leaving it (them) to continue running. Multiple
-p options can be used to attach to many processes in addition to command (which is optional if at least one
-p option is given).
-p "`pidof APPLICATION`" syntax is supported.
In the simplest case
strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
strace is a useful diagnostic, instructional, and debugging tool. System administrators, diagnosticians and trouble-shooters will find it invaluable for solving problems with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. Students, hackers and the overly-curious will find that a great deal can be learned about a system and its system calls by tracing even ordinary programs. And programmers will find that since system calls and signals are events that happen at the user/kernel inter‐ face, a close examination of this boundary is very useful for bug isolation, sanity checking and attempting to capture race conditions.
From: man strace
Method B: Using an isolated network namespace and Wireshark
Please note that this method might not work for all kernels.
It was tested on
Fedora 25 (64 bit) with success.
Create the test network namespace
network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.
With the following command we will create a
network namespace called
sudo ip netns add test;
ip netns add NAME Creates a new named
NAME is available in
/var/run/netns/ this command creates a new
network namespace and assigns to it then name
Create two virtual network interfaces (veth0 and veth1) for our Virtual eXtended LAN (VXLAN)
The following command will create
veth1 virtual network interfaces.
sudo ip link add veth0 type veth peer name veth1;
ip link add with no link argument specified to a physical device to operate on, it adds a
VXLAN virtual link.
veth1 will act as a gateway later on.
Change the active namespace of the veth0 interface
With the following command, we move
veth0 to our
test network namespace.
sudo ip link set veth0 netns test;
Some devices are not allowed to change network namespace:
wireless. These are network namespace local devices. In such case
ip tool will return
Invalid argument error. It is possible to find out if device is local to a single network namespace by checking
netns-local flag in the output of the
ethtool -k DEVICE;
To change network namespace for wireless devices the
iw tool can be used. But it allows to change network namespace only for physical devices and by process
From man ip-link
Configure the IP addresses of the virtual interfaces
#Set the IP of veth0 to 192.168.10.1 and veth0 to 192.168.10.254
sudo ip netns exec test ifconfig veth0 up 192.168.10.1 netmask 255.255.255.0;
sudo ifconfig veth1 up 192.168.10.254 netmask 255.255.255.0;
Configure the routing in the test namespace
The following command will set the default
veth0 to be the
IP 192.168.10.254 which is the address we gave
veth1 in the previous step.
sudo ip netns exec test route add default gw 192.168.10.254 dev veth0;
Then we make sure
ip_forward is active by issuing the following command
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward';
Then, we establish a
NAT rule to forward all the traffic of
test network namespace to a physical device
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o <PHYSICAL DEVICE e.g. eth0> -j SNAT --to-source <PHYSICAL DEVICE IP>;
Actually using the isolated network namespace
root to the list of users that is allowed to start an
wireshark in your
test network namespace
sudo ip netns exec test wireshark &
wireshark start monitoring the data on the device
Finally, start the application you wish to monitor its network traffic
sudo ip netns exec test firefox;