Is there some command or tool for monitoring network packets and how those packets are handled by the memory and than proceeded to the CPU on linux platform?
Using tcpdump I can capture many apache requests for example but I don't know how those packages are assigned to some process id.
When an server process starts it issues some system calls (socket() and listen()). The system then opens the port and creates a socket file descriptor for the process to interact with. You can see this with:
Find the Apache master process id:
root@frisbee:~# ps -ef | grep apache | grep root
root 27440 1 0 16:06 ? 00:00:00 /usr/sbin/apache2 -k start
Go to /proc/$pid/fd and view the sockets:
root@frisbee:~# ls -l /proc/27440/fd | grep socket
lrwx------ 1 root root 64 apr 16 16:12 3 -> socket:[518486]
lrwx------ 1 root root 64 apr 16 16:12 4 -> socket:[518487]
Here you can see there are two sockets opened by Apache. The Apache process internally can use file descriptors 3 & 4 to read/write data through the network connection.
You can find the mapping between sockets and listening ports with lsof:
root@frisbee:~# lsof | egrep 'IPv6.*(518486|518487)'
apache2 27440 root 4u IPv6 518487 0t0 TCP *:http (LISTEN)
apache2 27445 www-data 4u IPv6 518487 0t0 TCP *:http (LISTEN)
apache2 27446 www-data 4u IPv6 518487 0t0 TCP *:http (LISTEN)
apache2 27447 www-data 4u IPv6 518487 0t0 TCP *:http (LISTEN)
apache2 27448 www-data 4u IPv6 518487 0t0 TCP *:http (LISTEN)
apache2 27449 www-data 4u IPv6 518487 0t0 TCP *:http (LISTEN)
There are multiple Apache processes using the same file descriptor (opened by the process running as root, because it is a privileged port). These are the Apache workers.
An easier way to view the link between port and process is to use the netstat command:
mtak@frisbee:~$ sudo netstat -tulpn | grep apache
tcp6 0 0 :::80 :::* LISTEN 4269/apache2
