Subject: Re: discover process
To: Florian Kessler <fke@sk-kessler.de>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 05/29/2002 10:47:45
In message <B91A60F5.112D%fke@sk-kessler.de>, Florian Kessler writes:
>Am 29.05.2002 9:10 Uhr schrieb "Steven M. Bellovin" unter
><smb@research.att.com>:
>
>> In message <B91A4466.1119%fke@sk-kessler.de>, Florian Kessler writes:
>>> Hi,
>>>
>>>> from time to time one of my netbsd-machines is trying to establish a
>>> connection to port 6544, but blocked by the firewall.
>>> How can i discover the process, which is trying to connect?
>>>
>> Use lsof, which you can find in pkgsrc.
>>
>
>Hi Steve,
>
>"lsof -i tcp@host:6544" brought this:
>
>COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>apcupsd 18275 root 1u IPv4 1255053 TCP
>caesar.gb-sauer.de:37528->brutus.gb-sauer.de:6544 (SYN_SENT)
>
>so i know exactly, what i wanted to know, but it was totaly by coincidence!
>Doing the same command a second/third... time the output is either nothing
>or similar output.
>So to get my question answered, i have to lsof exactly that time the process
>tries to connect.
>Any other idea?
I don't think there's any current solution -- I know of no kernel
logging for Internet connection attempts, so the only choice is to
catch it when it's current.
It might be possible to hack together something that uses ipfilter's
log ability to detect, say, outbound SYN packets to particular ports,
and then does an automated lsof or fstat.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)