Measuring nw traffic for a particular process

[Abhinav Jauhri <abhinavjauhri at gmail dot com>]

Hi,

I have to accurately measure network traffic over the internet for a
process and its child processes. Previous to this mail, I have had a
similar discussion with fche on #systemtap on how to accurately
capture the exact amount of network data transmitted or received by a
process and its child processes (let's say something like firefox)

In our previous discussion, fche suggested that socket.* probes should
work if they catch all process specific traffic. So, based on that
idea I made this small script and wanted to get feedback on its
accuracy/suggestions to improve, from the community.

Script is as follows:
Following variables are initialized using -G flag.
1. parent_id - as my experiments are automated, I use a script to
start the browser. script's pid is the parent_id
2. browser_id - pid of the browser started by the script

My goal is capture all network data specific to the browser & its
child processes

probe socket.receive
{
    if (!success) next

    if(pid() != parent_id && (ppid() == parent_id || ppid() ==
browser_id) && family == "INET") {
    store_nw_recv[execname(), pid(), gettimeofday_s(), protocol] <<< size
    }
}

probe socket.send
{
    if (!success) next

    if(pid() != parent_id && (ppid() == parent_id || ppid() ==
browser_id) && family == "INET") {
    store_nw_sent[execname(), pid(), gettimeofday_s(), protocol] <<< size
    }
}

I referenced this(http://sourceware.org/systemtap/examples/network/socktop)
example for making this script. Another suggestion was to look at file
descriptors of the process resulting from socket(2). I could use
this(http://sourceware.org/systemtap/examples/process/pfiles.stp)
along with some edits to make that but I guess socket.* should work
fine.

Please let me know if you have any suggestions or concerns. Thanks!

- Abhinav