Correlating network traffic to their OS processes using packet capture libraries and kernel monitoring mechanisms

摘要

A method of monitoring and reporting of packets including their attribution to their origin processes from a user space application without installing proprietary drivers, rather using only infrastructures and capabilities supplied by the operating system (OS). The method relies on correlation between packets received from a packet capture library and a kernel monitoring mechanism that supplies an event with the process ID which is executed on the same time frame for transmitting or receiving of that traffic. The attribution between the event and the packet is based on the 4-tuple (or other exemplar) that exists on both the event and the packet where the “4-tuple” is a set of: source address, source port, destination address, destination port.