Re: To detect proccess sending netpackets.
On Mon, Dec 12, 2011 at 10:07, Sthu Deus <sthu.deus@gmail.com> wrote:
> Thank You for Your time and answer, Kelly:
>
>>> On a desktop system I have noticed a bit of network traffic whereas
>>> users do not run any network software...
>>>
>>> How do I find out which process on the system does send/receive
>>> network packets?
>>
>>Something like:
>>netstat --inet -ap
>>
>>"--inet" so you are looking at network sockets rather than unix
>>sockets, "-a" shows both established connections and listening
>>processes, "-p" shows PID and process name.
>
> I have tried this but it did tell me what sends/receives packets...
What do you mean? It certainly tells you what has a current
connection, and what is listening. If there are no current connections
it will not show anything, although you could maybe use -c to
get it to repeat every second. It is true it does not show individual
packets, but you don't need that to know what program is sending.
What output do you get from it?
> I have records from tcpdump as:
<snip>
> So, here are several connections I see. Do You have an idea, How I can
> identify which process relate to each record - may related to
> port/protocol?
The ones that mention localnet.domain are DNS queries
ICMP6 is the IPv6 version of ICMP (Ping and other control messages)
IGMP is used for multicast control
and finally, 6881 is the port for BitTorrent
Why tcpdump habitually uses a dot to separate the port number
(or service name, like .domain) instead of the standard colon, I
don't know.
If you want to see the port number instead of the service name
(e.g. 53 instead of domain), use the "-n" (numeric) option on
tcpdump (and netstat for that matter). If you don't know a port
number, google "port yyy".
Cheers,
Kelly Clowers
Reply to: