Capturing Network Communication Between Two Processes On the Same Machine…

Have you ever run snoop on Solaris or tcpdump on Linux or AIX and discovered that these tools cannot capture IP-based communication that occurs between two processes on the same machine? Or, Wireshark (formerly, Ethereal) on Windows? Only to discover the same limitation?

Well, there are a couple of ways around these limitations.

The issue comes about because these tools all function at the network driver level. Network traffic occuring between two processes on the same machine generally won’t make it that far down the stack. The data is copied from one buffer to another inside the same kernel.

This post expands on the techniques presented in the last article to allow IP based traffic (particularly, TCP) to be captured between two processes on the same box.

Solaris

The truss command, as described here, can be used to capture this type of IP communication on a Solaris system.

Linux

The strace command, as described here, can be used to capture this type of IP communication between processes on the same Linux host.

AIX/Windows/General for Java

The general purpose, java-based TCP capture tool described here can be used to capture TCP traffic between two JVMs on the same host.