Posted on
Questions and Answers

Measure per-process network usage using `/proc/$PID/fd` and `ss`

Author
  • User
    Linux Bash
    Posts by this author
    Posts by this author

Blog Article: Measure Per-Process Network Usage in Linux Using /proc/$PID/fd and ss

In the world of Linux system administration and monitoring, understanding the network usage of individual processes is crucial for performance tuning, security checks, and diagnostics. Although Linux provides a variety of tools for network monitoring, combining the capabilities of /proc/$PID/fd and ss offers a specific and powerful method to get per-process network usage details.

Q1: What is /proc and how can it help in monitoring network usage?

A1: The /proc filesystem is a special filesystem in UNIX-like operating systems that presents information about processes and other system information in a hierarchical file-like structure. It is a virtual filesystem that doesn't exist on disk. Instead, it is dynamically created by the Linux kernel. You can access it to gather information about the system and its processes. For instance, every running process has a dedicated directory under /proc named with its process ID (PID), inside which /proc/$PID/fd contains file descriptors, including those that represent network sockets.

Q2: What role does the command ss play in this context?

A2: The command ss is a utility that comes with most Linux distributions and is used for displaying detailed information about network sockets. It provides data on all sockets including listening/timed-wait ones. When combined with information gathered from /proc/$PID/fd, you can correlate which sockets are used by which processes.

Background on the Topic

To illustrate, let’s see a basic example. Suppose you want to check what network connections are utilized by a process with the PID 1234:

  1. Examine File Descriptors:
    Navigate to /proc/1234/fd. Here, you'll see several entries pointing to various resources, e.g., files, pipes, and sockets. Files that represent network sockets will typically be symlinked in the format socket:[inode_number].

  2. Use ss to Find Network Details:
    You can employ ss to tap into detailed socket information using the inode numbers you found:

    ss -ie '(ino == "inode_number")'

    This command filters ss output showing only entries that match the inode number from your /proc/ check.

Example Script to Demonstrate the Method

Here’s a simple shell script to automate checking network usage per process:

#!/bin/bash

# Check if PID was provided
if [[ -z "$1" ]]; then
  echo "Usage: $0 <PID>"
  exit 1
fi

PID=$1

# Check if the process exists
if [[ ! -d /proc/$PID ]]; then
  echo "Process with PID $PID does not exist."
  exit 1
fi

echo "Network connections for PID: $PID"

# Loop over file descriptors
for fd in /proc/$PID/fd/*; do
  inode=$(readlink $fd | sed -n 's/.*socket:\[\([0-9]*\)\]/\1/p')
  if [[ -n $inode ]]; then
    echo "Inode: $inode"
    ss -ie "(ino == $inode)"
  fi
done

This script checks if a PID is provided and exists. It then lists all network sockets used by that process and provides detailed information for each socket using ss.

Summary and Conclusion

Understanding per-process network usage is a cornerstone of effective system administration — particularly when monitoring or troubleshooting network performance issues. While there are many sophisticated tools available for network monitoring (like nethogs or iftop), using Linux’s built-in tools like /proc and ss provides granular control and a deeper understanding of what’s happening under the hood. This approach is not only cost-effective but also highly educational, offering insights into the workings of Linux OS processes and their interactions with network resources.

Further Reading

Related posts