traffic from different users/PID and same program is merged #204
Comments
No, definitely not. Nethogs works by taking the source and destination ip:port pairs, look up the inode for them in /proc/net/tcp, and then scan the processes in /proc to associate that inode with a process. Because that is rather slow, that relationship is cached. It seems like the traffic of user B is matching the cached connection for user A - though that would mean the complete ip:port pair (so both source and destination IP's and port numbers) were identical. Could you look at the connections with |
|
Hi @raboof I pretty sure I have same problem like @nick2k3 say, however if the user B tries to access another share, and thus generate traffic, all its traffic is masqueraded as user A, also the PID of the new connection is different but the 'old' one used by A's connection is shown.
|
Interesting! If I recall correctly nethogs does differentiate between 'incoming' and 'outgoing' connections, and for 'incoming' connections perhaps we cache regardless of the 'source' (i.e., remote) port. Perhaps for your scenario it got it backwards? I'd appreciate anyone digging into this further. |
I saw another people blog use version 0.8.0 can see two ssh session |
Hello,
I am trying to use nethogs on a debian system which runs smbd.
smbd is configured so that different users, let's say A and B, are able to connect to different shares.
if I run
sudo nethogsI can see the data exchanged by the user A:
however if the user B tries to access another share, and thus generate traffic, all its traffic is masqueraded as user A, also the PID of the new connection is different but the 'old' one used by A's connection is shown.
If i re-run nethogs I am able to correcly see the new connection with user B and the correct PID.
Is this behavior intended?
The text was updated successfully, but these errors were encountered: