Re: To detect proccess sending netpackets.

To: debian-user@lists.debian.org
Subject: Re: To detect proccess sending netpackets.
From: Joe <joe@jretrading.com>
Date: Mon, 12 Dec 2011 19:01:14 +0000
Message-id: <[🔎] 20111212190114.62184699@jretrading.com>
Reply-to: joe@jretrading.com
In-reply-to: <[🔎] 4ee642f3.8d23cc0a.68b1.ffffb1cc@mx.google.com>
References: <[🔎] 4ee61331.c376cc0a.5f69.740c@mx.google.com> <[🔎] CAFoWM=9ao_DaOM8jazDk38jtGvKbOPc+iffuR17yETmpNf086A@mail.gmail.com> <[🔎] 4ee642f3.8d23cc0a.68b1.ffffb1cc@mx.google.com>

On Tue, 13 Dec 2011 01:07:42 +0700
Sthu Deus <sthu.deus@gmail.com> wrote:

> Thank You for Your time and answer, Kelly:
> 
> >> On a desktop system I have noticed a bit of network traffic whereas
> >> users do not run any network software...
> >>
> >> How do I find out which process on the system does send/receive
> >> network packets?
> >
> >Something like:
> >netstat --inet -ap
> >
> >"--inet" so you are looking at network sockets rather than unix
> >sockets, "-a" shows both established connections and listening
> >processes, "-p" shows PID and process name.
> 
> I have tried this but it did tell me what sends/receives packets...
> 
> I have records from tcpdump as:
> 
> 15:26:41.796962 IP n219078177226.netvigator.com.20026 > dark.6881:
> UDP, length 98
> 
> 15:26:41.843163 IP dark.60324 > 192-168-0-001.localnet.domain: 18791+
> PTR? 226.177.78.219.in-addr.arpa. (45)
> 
> 15:26:42.188001 IP 109.166.130.88.57922 > dark.6881: UDP, length 103
> 
> 15:26:42.240489 IP 192-168-0-001.localnet.domain > dark.60324: 18791
> 1/2/2 PTR n219078177226.netvigator.com. (155)
> 
> 15:26:42.241167 IP dark.55090 > 192-168-0-001.localnet.domain: 33349+
> PTR? 1.0.168.192.in-addr.arpa. (42)
> 
> 15:26:42.252990 IP dark.50010 > 192-168-0-001.localnet.domain: 35194+
> PTR? 1.0.168.192.in-addr.arpa. (42)
> 
> 15:26:42.427152 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
> 
> 15:26:42.427204 IP6 fe80::219:b9ff:fe53:3418 > ip6-allnodes: HBH
> ICMP6, multicast listener querymax resp delay: 1000 addr: ::, length
> 24
> 
> 15:26:42.440462 IP 192-168-0-001.localnet.domain > dark.55090: 33349*
> 1/2/2 PTR 192-168-0-001.localnet. (151)
> 
> 15:26:42.441035 IP 192-168-0-001.localnet.domain > dark.50010: 35194
> 1/0/0 PTR 192-168-0-001.localnet. (78)
> 
> 15:26:42.441084 IP dark.51993 > 192-168-0-001.localnet.domain: 25411+
> PTR? 88.130.166.109.in-addr.arpa. (45)
> 
> 15:26:42.584183 IP n219079146094.netvigator.com.45846 > dark.6881:
> UDP, length 98
> 
> So, here are several connections I see. Do You have an idea, How I can
> identify which process relate to each record - may related to
> port/protocol?
> 
> 

Run netstat as root to see the PIDs and program names of everything,
otherwise it will only show you that data for processes you own.

If you also use the -n flag, it will run much faster as it won't do DNS
or service name lookups. Some of the service names may be misleading
anyway, as they are looked up from a file. The program name is more
useful.

-- 
Joe

Reply to:

Follow-Ups:
- Re: To detect proccess sending netpackets.
  - From: Kelly Clowers <kelly.clowers@gmail.com>
- Re: To detect proccess sending netpackets.
  - From: Sthu Deus <sthu.deus@gmail.com>

References:
- To detect proccess sending netpackets.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: To detect proccess sending netpackets.
  - From: Kelly Clowers <kelly.clowers@gmail.com>
- Re: To detect proccess sending netpackets.
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Re: memtest86's no show
Next by Date: When will "Lenny" be added to the archive
Previous by thread: Re: To detect proccess sending netpackets.
Next by thread: Re: To detect proccess sending netpackets.
Index(es):
- Date
- Thread