tcpsnoop.d - snoop TCP network packets by process. DTrace. tcpsnoop.d This analyses TCP network packets and prints the responsible PID and UID, plus standard details such as IP address and port. This captures traffic of newly created TCP connections that were established while this program was running. It can help identify which processes is causing TCP traffic. This is a DTrace only version of "tcpsnoop" - an enhanced program that provides command line options. Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command.

Default output, snoop TCP network packets with details, # tcpsnoop.d

UID user ID

PID process ID

CMD command name

LADDR local IP address

RADDR remote IP address

LPORT local port number

RPORT remote port number

DR direction

SIZE packet size, bytes

See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. tcpsnoop.d will print traffic until Ctrl-C is hit. Brendan Gregg [Sydney, Australia] tcpsnoop(1M), tcptop(1M), dtrace(1M)