Source process (PID) of a packet

Source process (PID) of a packet

[Daniele Iamartino]

Hello,

I've got a problem on my server and I had to find out which process was
sending UDP packets to a specified host opening and closing the socket
fastly.
I can see the UDP requests using

$ netstat -unap
or
$ ss -uap

I was finally able to catch the request running netstat in a fast loop
and catching it.

I was now wandering if it was possibile to do that in another way.
Something like log the source PID using -j LOG.
But I saw that LOG target just support the uid/gid.
Reading the sources of netfilter I saw that's not possibile and I think
that's because one socket could be used by several processes (I think
about the case of a process with a socket using a fork).
So is it not technically possible?

Is it the only way writing an xtables target doing somethin like this:
# for any fd on the system:
#   if fd == skb->sk->..->file
#      match...
#      ...
Is this the only way?
That's looks a bit heavy for the system to process.

I wander also about the outgoing traffic:
Is it not possible to match any packet coming from a certain PID using a
match module? I saw the xt_owner and how was the old --pid-owner match
(I've also fixed it for the new kernel to try it)
Is it the only way to check for every fd open by that PID and than match
against the socket related to the packet coming?

Thanks!

-- 
Daniele Iamartino
Computer engineering student at Politecnico di Milano, Italy