Re: To detect proccess sending netpackets.
Thank You for Your time and answer, Kelly:
>>>Something like:
>>>netstat --inet -ap
>>>
>>>"--inet" so you are looking at network sockets rather than unix
>>>sockets, "-a" shows both established connections and listening
>>>processes, "-p" shows PID and process name.
>>
>> I have tried this but it did tell me what sends/receives packets...
>
>What do you mean? It certainly tells you what has a current
>connection, and what is listening. If there are no current connections
>it will not show anything, although you could maybe use -c to
>get it to repeat every second. It is true it does not show individual
>packets, but you don't need that to know what program is sending.
>What output do you get from it?
The problem is it does not tell me anything - being run under root
(sudo). This is all I get:
netstat --inet -ap -n
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
:(
>> I have records from tcpdump as:
><snip>
>
>> So, here are several connections I see. Do You have an idea, How I
>> can identify which process relate to each record - may related to
>> port/protocol?
>
>The ones that mention localnet.domain are DNS queries
>ICMP6 is the IPv6 version of ICMP (Ping and other control messages)
>IGMP is used for multicast control
>and finally, 6881 is the port for BitTorrent
OK. But how I can find the processes IDs?
For I have closed all the user's network app.s - still the machine
connects to Internet - sends queries to DNS, bittorrent - while the
user does not ask for it any more.
So, I gonna find out who does all this work.
>Why tcpdump habitually uses a dot to separate the port number
>(or service name, like .domain) instead of the standard colon, I
>don't know.
That's OK - I recognize it. :)
>If you want to see the port number instead of the service name
>(e.g. 53 instead of domain), use the "-n" (numeric) option on
>tcpdump (and netstat for that matter). If you don't know a port
>number, google "port yyy".
Thanks again, Kelly.
Reply to: