Possible dumb question -- Does anyone happen to know...

Is it possible to get the process ID (or name) of the traffic being dumped with wireshark or tcpdump?

E.g. 'tshark -i wlan0 -f "udp port 53"'

I'd like to know what processes are making the DNS request. I know this can be done with lsof -i or netstat -pnu but I'm looking for something real time and constant.

------------------------------------

Completely unrelated note -- I've discovered that if you're using DNS prefetching ("predict network actions to improve page load performance") in Chrome, your DNS won't be sent over your SOCKS5 proxy, if you're using one. Just a FYI if you're concerned about privacy leaks on a public wifi.. or elsewhere.

watch -t 1 "lsof -i" is the best I've seen to do so.

Generally, on Linux boxes, base process I've seen do DNS requests are syslog, cron, ssh, and nfs. So, you can disable these services one at a time to see if they are performing the specific lookup you're tracking down. With SSH, obviously, you can't stop it, but what you can do is disable the reverse lookup check, and HUP it so it reloads the config. It's the only DNS querying part of SSH.

not really--that's not what those tools do. tcpdump should let you see the traffic surrounding a request so if you are requesting a weird host (perhaps nonexistent) you should be able to associate traffic using a specific fqdn and a specific protocol ...

I ended up creating an iptables output rule that logged every port 53 request with the associated PID & owner. So that solves that..

I ended up creating an iptables output rule that logged every port 53 request with the associated PID & owner. So that solves that..

There. I fixed it.
10187

There. I fixed it.
10187

Corey-licious.... that is NOT how you work ducting propagation!! :wall::neener: