Under the hood, this is using nethogs. Here's how nethogs associates traffic with a process:
On linux the file /proc/net/tcp lists all established TCP connections. It includes the local and remote socket addresses and the inode number for the local socket. Nethogs uses libpcap to sniff traffic and associate it with its entry in /proc/net/tcp. It takes the inode from there and scans through /proc/*/fd/ looking for the file descripter that has that inode to determine which process has the socket open. Once it finds the process it adds it to a table of inode to process id mappings so it doesn’t have to scan through /proc again the second time a packet for that connection comes through.
If you're on Mac and just want to monitor the connections that each process makes (not the bandwidth), Radio Silence just got a built-in network monitor a few weeks ago: https://radiosilenceapp.com
Nice, first time I hear about it and seems really nice. Good work.
If I only wanted to monitor network connections on my mac, and block/allow them forever/for a limited time, is there any difference in functionality between this and Little Snitcher?
IIRC, it is the most recently active project. As far as I can tell, the whole user-facing, interactive firewall program never really caught on in linux land.
These days everyone it seems uses a mobile smartphone using apps usually free or less than $1 over that amount would seem excessive even $2 os let alone €30.
€30 ($43 + taxes Canadian to me) that's quite enough for software maybe not excessive but any more and I'd pass on it.
Having purchased a computer in 1990 along with WordPerfect ($300 then - $540 in today's dollars) and Lotus 123 (another $300/$540), this makes me smile ;-)
On Windows: Sysinternals Process Explorer, already mentioned Glasswire and NetBalancer and a bunch of other apps, almost all which aren't very good at all. But Glasswire is very nice.
Also from Windows 8 and up the built in task manager has per process network usage along with disk usage. Makes it real easy to find bottlenecks or resource hogs.
Does this require Administrator rights to see this granularity? In my office as a non-admin user, we have noticed that Task Manager seems really crippled.
You won't see other users processes, at least on my box however the detail is there for yours. Probably possible for it to be crippled by group policy.
In previous versions of Windows, the task manager menus could be toggled by double clicking an empty area in the window. You should also be able to select additional columns to display in the options. Note: I haven't used the win8 taskmgr.
I've been working on a similar python webserver + webview GUI from that used in this repo, but aren't there security concerns of just opening it up to the local network? Aren't you exposing your entire API to any app on the same computer?
I don't think so. If you look at the code carefully, it's pretty much one way traffic. Nothing of significance goes from Client/Webview to the server to get executed.
I was however hoping for authorization based handshakes. Maybe he'll put it in sometime.
On a side note: The project author doesn't sleep enough. He's a good friend. And also it's Finals Week now. :P
Glasswire is also interesting. Way smoother looking interface than any of the other stuff I've seen & there is a paid edition as well so they clearly put time into it.
My current tool of choice for on-demand console traffic monitoring is tcptrack.[0] Uses libpcap so accepts the same filtering syntax as tcpdump.
It can be pretty CPU intensive, so I would recommend against running it on production perimeter systems. Also, the 2 second default retention period is a bit short.
I haven't tried hogswatch; judging by the screenshots, it doesn't bring anything more, information-wise, than what's already present in nethogs' terminal UI.
But 0.8.1 fixes the problem described on the askubuntu page the grand-grandparent linked to.
would be nice to configure a central server to which to push data to and list the machine name with each entry so you can monitor all machines on a network and see who and what is hogging the bandwidth. Might give it a go
On linux the file /proc/net/tcp lists all established TCP connections. It includes the local and remote socket addresses and the inode number for the local socket. Nethogs uses libpcap to sniff traffic and associate it with its entry in /proc/net/tcp. It takes the inode from there and scans through /proc/*/fd/ looking for the file descripter that has that inode to determine which process has the socket open. Once it finds the process it adds it to a table of inode to process id mappings so it doesn’t have to scan through /proc again the second time a packet for that connection comes through.