Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
How to capture packets bound from/to solely one application?
My Rationale
I want to diagnose github.com/AchetaGames/Epic-Asset-Manager/issues/318#issuecomment-3641224648 — a failure to access a (likely non-existent) API endpoint. [1]
On AOSP, I would invoke PCAPDroid, and select the relevant application (from a list, enumerated from getPackageManager.getInstalledApplications). [2] [3] However, that's unavailable here, and wireshark-4.6.0-1.fc43 doesn't make achieving this task a trivial endeavour [4] (albeit, likely because of how powerful it is, and how much less restricted and standardised desktop OSes' APIs are.) [5]
Does a way to monitor the network traffic of a single application exist? I see powerusers.codidact.com/posts/283650/history#2, although am not certain whether it's applicable here, because this isn't a DNS failure, and most alternative sources suggest a port, [6] or VLAN, [7] –based approach:
You could create a (virtual) network interface, and let only one application use it.
The Placement Of The Question
I don't envision this being useful outside of software development, and at +2025-12-11T12:59+00:00, I observed no evidence that anyone disagrees:
-
Power Users returned the aforecited, which is an answer.
-
linux.codidact.com/posts/search?search=wiresharkreturned 0 results. -
software.codidact.com/posts/search?search=wiresharkreturned 0 relevant results.
-
gitlab.com/wireshark/wireshark/-/issues/20494#note_2948022412↩︎ -
gitlab.com/wireshark/wireshark/-/issues/1184#note_2783848093↩︎ -
superuser.com/questions/1370924/how-can-i-monitor-all-activity-from-only-one-software-with-wireshark/1371095#comment3018542_1371109↩︎ -
superuser.com/questions/1370924/how-can-i-monitor-all-activity-from-only-one-software-with-wireshark/1371095#comment3018544_1370924↩︎
1 answer
I don't know any way to filter for traffic of a specific application in any libpcap based project (wireshark, tcpdump, scapy etc.) that is able to do this.
All they do is open a raw socket (socket(AF_PACKET, SOCK_RAW) to be exact). So they receive only information that are contained within the bytes of the packet.
Hence, you need to find a way to uniquely encode the packets that originate from your application or parse other system resources, like /proc, as described in the feature request.
I think the simplest work around is to run the program inside a virtual machine. Normally, those get their own network adapter, so it's pretty easy to filter for the application's traffic. Using strace, /proc, or reading the source, you'll find even more ways to narrow it down.
For your example, search Epic-Asset-Manager code for the domains it connects to. Then filter for their IPs, e.g. tcpdump -i <IF_OF_VM> host <IP-OF-EPIC-GAMES>. Looks like the domains are all listed in epic_web.rs. They're behind cloudflare so you need to find the IPs yourself (e.g. ping epicgames.com).
$ grep -riI https ./Epic-Asset-Manager/src/
tools/epic_web.rs: .get("https://www.epicgames.com/id/api/reputation")
tools/epic_web.rs: .post("https://www.epicgames.com/id/api/exchange")
tools/epic_web.rs: .get("https://www.epicgames.com/id/api/redirect?")
tools/epic_web.rs: "https://www.unrealengine.com/id/api/set-sid?sid={sid}"
tools/epic_web.rs: .post("https://graphql.unrealengine.com/ue/graphql")
0 comment threads
0 comment threads