AIX - collect network traffic with process ID-s

Question

I am into analyzing network communication directions of an appserver machine. I collected a lot of TCP SYN packages, so I can list network communication directions inward and outward.

The inward communications are clean, as I can tell which appserver processes are related to a certain LISTEN port.

My problem is to tell which process is initiating a communication to a particular direction.

For example in my tcpdump output I see outbound packages to 123.123.110.120:10122.

07:52:47.308694 IP 10.128.46.13.49743 > 123.123.110.120.10122: S 246322753:246322753(0) win 14600 <mss 1460,sackOK,timestamp 3109396548 0,nop,wscale 7>

Is there a way to collect process ID-s along with tcpdump outs?

Answer 1

ptcpdump can do that:

$ sudo ptcpdump -i any -c 2 port 80
2024/05/18 15:07:26 capturing...
15:07:32.109948 wlp4s0 Out IP (tos 0x0, ttl 64, id 19758, offset 0, flags [DF], ip_proto TCP (6), length 60)
    192.168.1.50.48282 > 104.18.32.7.80: Flags [S], cksum 0x4a22, seq 638565084, win 64240, options [mss 1460,sackOK,TS val 3459351264 ecr 0,nop,wscale 7], length 0
    Process (pid 1674620, cmd /usr/bin/curl, args curl stackoverflow.com)
15:07:32.520880 wlp4s0 In IP (tos 0x4, ttl 53, id 0, offset 0, flags [DF], ip_proto TCP (6), length 60)
    104.18.32.7.80 > 192.168.1.50.48282: Flags [S.], cksum 0x56a1, seq 3079891173, ack 638565085, win 65160, options [mss 1400,sackOK,TS val 3122651013 ecr 3459351264,nop,wscale 13], length 0
    Process (pid 1674620, cmd /usr/bin/curl, args curl stackoverflow.com)
2 packets captured
3 packets received by filter
0 packets dropped by kernel