Comment by jchw

Curiosity has led me to check on and off if the local traffic monitoring is missing anything that can be seen externally a few times, but so far I've never observed this happening. Though obviously, captures at different layers can still yield some differences.

Still, if you were extra paranoid, it wouldn't be unreasonable or even difficult to check from an external vantage point.

> Are there any tools that enable capturing traffic from outside the OS you’re monitoring, that still allow for process-level monitoring?

Doing both of these things at once would be hard, though. You can't really trust the per-process tagging because that processing has to be done on the machine itself. I think it isn't entirely implausible (at the very least, you could probably devise a scheme to split the traffic for specific apps into different VLANs. For Linux I would try to do this using netns.)