which process is using the network bandwidth most?
It is possible on Solaris with the help from dtrace(with a caveat). On Linux/Windows, I don't think this is possible with off-the-shelf kernel. That's why I wrote perl in my previous entry. It can't associate short-lived socket to the owning process. So, I'm still not sure if it was worth my time.
Here's a man page from DTraceToolkit. Notice the caveat, i.e.) this only captures new connections.
Here's how I show network traffic and owner process on Windows using the perl in my previous entry. This can't show sockets already closed and dis-owned. Also, I sorted by # of bytes rather than by # of packets.
Here's how I show network traffic and owning process on Linux. I only show top 4. One restriction on Linux is that you can't use 'any' interface. Please specify real interface like 'eth0'.
Here's a man page from DTraceToolkit. Notice the caveat, i.e.) this only captures new connections.
$ man -M ~root/DTraceToolkit-0.99/Man tcpsnoop_snv [...] DESCRIPTION This analyses TCP network packets and prints the responsible PID and UID, plus standard details such as IP address and port. This captures traffic of newly created TCP connections that were established while this program was running. It can help identify which processes is causing TCP traffic.
Here's how I show network traffic and owner process on Windows using the perl in my previous entry. This can't show sockets already closed and dis-owned. Also, I sorted by # of bytes rather than by # of packets.
$ perl /c/d/bin/active-port.pl 5 200 | sort -t $'\t' -k 3nr \ > | while read line; do > echo $line > pid=$(netstat -ano | awk '$2 == "'$(echo $line|cut -d' ' -f3)'" {print substr($0,72)}') > [ "$pid" != "" ] && tasklist /v /fi "PID eq $pid" | tail -1 | cut -c1-18,67-76,93-120,150- > done 50 packets 220.16.82.26:2187 75700 bytes. wmplayer.exe 10,828 K MY_W2K3\Administrator 0:00:20 Windows Media Player 81 packets other, e.g.) arp 68460 bytes. 41 packets 220.16.82.26:2255 29658 bytes. firefox.exe 161,272 K MY_W2K3\Administrator 0:34:03 Let the Sunshine In - Mozilla Firefox 16 packets 220.16.82.26:2256 8475 bytes. 6 packets 220.16.82.26:137 660 bytes. System 264 K NT AUTHORITY\SYSTEM 0:36:29 N/A 4 packets 220.16.82.26:2144 364 bytes. thunderbird.exe 111,220 K MY_W2K3\Administrator 0:16:12 Inbox : MyName@MyMail.COM - Thunderbird 2 packets 220.16.82.26:61466 298 bytes.
Here's how I show network traffic and owning process on Linux. I only show top 4. One restriction on Linux is that you can't use 'any' interface. Please specify real interface like 'eth0'.
$ sudo perl active-port.pl 1 1000 | head -4 \ > | while read line; do > echo $line; > echo $line|awk '$3 !~ "^o" {system("lsof -i@" _ $3)}' | tail -1 > echo > done 901 packets 129.158.21.152:32772 68016 bytes. synergyc 3789 kinoue 4u IPv4 9356 TCP myserver.jp.sun.com:32772->dhcp-jp-20-88.Jpn.Sun.COM:24800 (ESTABLISHED) 77 packets 129.158.21.152:32783 82222 bytes. ftp 4109 kinoue 4u IPv4 12469 TCP myserver.jp.sun.com:32783->labserv.Jpn.Sun.COM:53456 (ESTABLISHED) 8 packets other, e.g.) arp 480 bytes. 8 packets other, e.g.)UDP broadcast 1027 bytes.
