Re: To detect proccess sending netpackets.
Thank You for Your time and answer, Kelly:
>> On a desktop system I have noticed a bit of network traffic whereas
>> users do not run any network software...
>>
>> How do I find out which process on the system does send/receive
>> network packets?
>
>Something like:
>netstat --inet -ap
>
>"--inet" so you are looking at network sockets rather than unix
>sockets, "-a" shows both established connections and listening
>processes, "-p" shows PID and process name.
I have tried this but it did tell me what sends/receives packets...
I have records from tcpdump as:
15:26:41.796962 IP n219078177226.netvigator.com.20026 > dark.6881: UDP,
length 98
15:26:41.843163 IP dark.60324 > 192-168-0-001.localnet.domain: 18791+
PTR? 226.177.78.219.in-addr.arpa. (45)
15:26:42.188001 IP 109.166.130.88.57922 > dark.6881: UDP, length 103
15:26:42.240489 IP 192-168-0-001.localnet.domain > dark.60324: 18791
1/2/2 PTR n219078177226.netvigator.com. (155)
15:26:42.241167 IP dark.55090 > 192-168-0-001.localnet.domain: 33349+
PTR? 1.0.168.192.in-addr.arpa. (42)
15:26:42.252990 IP dark.50010 > 192-168-0-001.localnet.domain: 35194+
PTR? 1.0.168.192.in-addr.arpa. (42)
15:26:42.427152 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
15:26:42.427204 IP6 fe80::219:b9ff:fe53:3418 > ip6-allnodes: HBH ICMP6,
multicast listener querymax resp delay: 1000 addr: ::, length 24
15:26:42.440462 IP 192-168-0-001.localnet.domain > dark.55090: 33349*
1/2/2 PTR 192-168-0-001.localnet. (151)
15:26:42.441035 IP 192-168-0-001.localnet.domain > dark.50010: 35194
1/0/0 PTR 192-168-0-001.localnet. (78)
15:26:42.441084 IP dark.51993 > 192-168-0-001.localnet.domain: 25411+
PTR? 88.130.166.109.in-addr.arpa. (45)
15:26:42.584183 IP n219079146094.netvigator.com.45846 > dark.6881: UDP,
length 98
So, here are several connections I see. Do You have an idea, How I can
identify which process relate to each record - may related to
port/protocol?
Reply to: