document updated 6 days ago, on Feb 14, 2025
How to do per-pid tcpdump?
working solutions
- ptcpdump
- It requires a kernel version ≥ 5.2 that's been compiled with BPF and BTF support.
TODO
: Is there a quick way to check if a kernel is compatible?
- If /sys/kernel/btf/vmlinux exists, then the kernel supports BTF.
- py_strace2pcap — convert an strace output file to pcap, using Python's Scapy library.
forum discussions
solutions involving cgroups
[1]