Re: packet -> PID mapping? (was look up process)
On 13 Oct 1998, David S. Zelinsky wrote:
<snip>
> > I was having trouble with diald bringing up the line. A dump of the
> > /var/log/ppp.log showed something connecting to local (127.0.0.1) and
> > sending a DNS request (port 53 on destination IP). Is there a way to query a
> > connection to find out which process is doing the connection? I'd sure like to
> > know what was connecting thru local and requesting DNS.
>
> In other words, is there a way to find out which *process* is the source or
> destination of a packet? The diald packet queue (and the packets themselves)
> contain only the port number. The port numbers must, I suppose, be mapped to
> PIDs, somewhere in the kernel. How can I get my hands on that information?
<snip>
The program 'lsof' does just that. If your are using a stock
Debian kernel you can just install the package 'lsof'. If you are running
a kernel you built yourself it is best to get the source code to lsof and
build it yourself ('specially if your running a 2.1.1XX kernel) I would
suggest getting and compiling your own anyways but if the supplied binary
works for you then great :> Here is a list of mirrors for the lsof source
code.
ftp://ftp.crc.doc.ca/packages/lsof
ftp://vic.cc.purdue.edu//pub/tools/unix/lsof
ftp://ftp.sunet.se/pub/unix/admin/lsof
ftp://ftp.cert.dfn.de/pub/tools/admin/lsof
ftp://ftp.unicamp.br/pub/unix-tools/lsof
ftp://ftp.web.ad.jp/pub/UNIX/tools/lsof
ftp://ftp.tau.ac.il/pub/unix/admin
Once you have it installed here is a quick hint to get you on your
way.
lsof -i udp:53
lsof -i tcp:1597
lsof -i tcp:ftp
You can use port numbers or service names, it does not matter.
Lsof will by default tell you ever open file and socket on your system so
make sure to pipe through more or less. Lastly, I just woke up so if this
makes no sense please excuse me :>
mike...
Reply to: