Saving all network i/o of a program

Normally I use tcpflow to debug network i/o, but it doesn't seem to have any way to filter by process - so I need to manually figure out which files come from the program being debugged, and which are completely unrelated traffic. Usually both are mostly http so port filtering is out of the question, and filterin开发者_Go百科g by remote hostname is only sometimes possible.

In theory it should work. Process ids can be associated with sockets, at least on Linux - /proc/net/tcp associates socket address pairs with inodes and fstating /proc/*/fd/* reveals all socket inodes by process (that's what netstat -p uses) - but it needs to be done in real time by traffic capturing program, otherwise this data is all gone - so I cannot just grep the right files later. (otoh I'm not sure if this is even possible on OSX)

Or another possibility would be to use some sort of low-level library injection like LD_PRELOAD when program starts instead of external monitor.

The alternative of finding every single network read and write in the program, and adding logging code there is just too awful to contemplate - especially since a lot of actual i/o can be buried deep inside third party libraries.

Any recommendations? Something cross-platform would be perfect, but if it works with either OSX or Linux it's good enough.

If you are running the program from a specific user ID, you can mark the traffic by user using most major firewalls (at least netfilter/iptables, the one used in Linux) and then save it using Wireshark.

Also, if you just want to debug network data, try using :

strace -f -e trace=network -s 10000 ping 8.8.8.8

Sorry for the multiplatform requirement not met. Low level network i/o handling of other programs on Windows seems a bit tricky to me.