LSOF

LSOF

sh-3.2# lsof -i4

In the COMMAND column is the program that is creating the session (connection). The TYPE column shows whether it is an IPv4 or IPv6 connection. NODE column shows the used transport layer protocol (TCP/UDP), while the last column shows the SRC-IP:PORT -> DST-IP:PORT information. 

I cleaned up the output with some useful linux utilities:

sh-3.2# lsof -nP -i4 | grep -v "localhost\|*\|127.0.0.1" | awk '{printf ("%10s\t%3s\t%s\n", $1, $8, $9)}’

COMMAND NODE  NAME
apsd    TCP  10.140.59.187:61720->17.252.252.86:5223
apsd    TCP  10.140.59.187:61720->17.252.252.86:5223
Dropbox   TCP  10.140.59.187:64683->162.125.33.7:443
Dropbox   TCP  10.140.59.187:64220->162.125.34.129:443
Dropbox   TCP  10.140.59.187:64535->52.7.182.237:443
Dropbox   TCP  192.168.1.104:49252->162.125.83.3:443
Dropbox   TCP  10.140.59.187:64513->162.125.83.3:443
Bitcoin   TCP  10.140.59.187:64841->104.20.81.236:443
Google   TCP  10.140.59.187:62462->169.44.99.100:443
Google   TCP  10.140.59.187:62235->169.54.206.44:443

To create labels, one could run the command (as sudo) in a regular time intervals and then match the application information (label) from the LSOF outputs to the flow records in the flow cache. The matching could be done based on the 5-tuple (where possible).

This could be one simple way to collect dataset on a local machine for reliable ground truth experiments/evaluations.

For more information about LSOF I recommend these sites:
https://danielmiessler.com/study/lsof/
https://www.netadmintools.com/html/lsof.man.html
https://www.thegeekstuff.com/2012/08/lsof-command-example