Monitor network connections based on Process

Posted on September 21, 2018

Wireshark is widely used in packets capturing with flexible filters, but for some particular cases, end users care about the network sessions which established by a specific application.

I will show how to check the sessions of ‘Microsoft OneNote’.


Microsoft provides its own product for packets capturing: Microsoft Network Monitor.

Lunch ‘Microsoft Network Monitor’ before you run OneNote:


You will see the processes from the left panel, All related network sessions will shown in the ‘frame summary’ window once OneNote lunched:


Linux/MAC OS

I prefer ‘lsof’ to capture the network by application with the advantages:

  • run continuously
  • the result can be filtered by application name, process id

For the prospect of my case, the thing I concerned from the beginning is the limitation of the app name because lsof only supports up to 15 strings with -c options, otherwise, you will get an error:

KZs-MacBook-Pro:SSH kz$ lsof -c "Microsoft OneNote"
lsof:"-c Microsoft\x20OneNote" length (17) > what system provides (15)
lsof 4.89
latest revision:
latest FAQ:
latest man page:
usage: [-?abhlnNoOPRtUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.

Thanks to lsof’s regular expression feature which made it possible to filter Microsoft One Note’s network sessions.

Before you lunch OneNote, run following command for the capturing:

lsof -c /Microsoft\ One/ -r 1 | awk '$5 ~ /^IP/ {print}
  • -c /Microsoft\ One/ is how lsof supports regular expression:

    If c begins and ends with a slash (‘/’), the characters between the slashes are interpreted as a regular expression.

  • -r 1 means the losf will run in repeat mode

  • awk command will filter all IP connections because -c and -i options are conflicting with each other

here is a sample:


Monitor network connections based on Process


Scan the QR code using WeChat

comments powered by Disqus