In message <B91A60F5.112D%fke@sk-kessler.de>, Florian Kessler writes:
>Am 29.05.2002 9:10 Uhr schrieb "Steven M. Bellovin" unter
><smb@research.att.com>:
>
>> In message <B91A4466.1119%fke@sk-kessler.de>, Florian Kessler writes:
>>> Hi,
>>> 
>>>> from time to time one of my netbsd-machines is trying to establish a
>>> connection to port 6544, but blocked by the firewall.
>>> How can i discover the process, which is trying to connect?
>>> 
>> Use lsof, which you can find in pkgsrc.
>> 
>
>Hi Steve,
>
>"lsof -i tcp@host:6544" brought this:
>
>COMMAND   PID USER   FD   TYPE  DEVICE SIZE NODE NAME
>apcupsd 18275 root    1u  IPv4 1255053       TCP
>caesar.gb-sauer.de:37528->brutus.gb-sauer.de:6544 (SYN_SENT)
>
>so i know exactly, what i wanted to know, but it was totaly by coincidence!
>Doing the same command a second/third... time the output is either nothing
>or similar output.
>So to get my question answered, i have to lsof exactly that time the process
>tries to connect.
>Any other idea?

I don't think there's any current solution -- I know of no kernel 
logging for Internet connection attempts, so the only choice is to 
catch it when it's current.

It might be possible to hack together something that uses ipfilter's 
log ability to detect, say, outbound SYN packets to particular ports, 
and then does an automated lsof or fstat.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)