How to record the process ID (PID) inside the tcpdump file?

[polished]   working solutions

• ptcpdump
  • It requires a kernel version ≥ 5.2 that's been compiled with BPF and BTF support. TODO: Is there a quick way to check if a kernel is compatible?
  • If /sys/kernel/btf/vmlinux exists, then the kernel supports BTF.
• py_strace2pcap — convert an strace output file to pcap, using Python's Scapy library.
  • Functionality status:   I haven't been able to get this to work. Maybe my particular strace output is slightly different than what it expects?

TODO: explore sysdig

• background reading: sysdig is a unicorn startup company that is the primary sponsor of Wireshark.
• "Csysdig explained visually" | Sysdig
• "Sysdig: What It Is and How to Use It" | Gcore
• docs.sysdig.com/en/network/ (ctrl-f for 'segment by' and notice that 'process' is usually listed)
• the csysdig man page says: "Ability to observe input/output activity for processes, files, network connections and more."
• How to install Sysdig for Linux (ctrl-F for "CentOS, RHEL, Fedora, Amazon Linux")
  • TODO: Supposedly it supports RHEL 6.3 or later.

solutions involving cgroups

[1]

forum discussions

• Stackoverflow [1]
• Serverfault [1]
• other [1]