Re: To detect proccess sending netpackets.

To: debian-user@lists.debian.org
Subject: Re: To detect proccess sending netpackets.
From: Sthu Deus <sthu.deus@gmail.com>
Date: Tue, 13 Dec 2011 16:41:18 +0700
Message-id: <[🔎] 4ee71dc2.82b6cc0a.52f9.14eb@mx.google.com>
In-reply-to: <[🔎] CAFoWM=_nr7yXrebJOi45K=U_3jayPyndPpxAg==CenPunFQWjg@mail.gmail.com>
References: <[🔎] 4ee61331.c376cc0a.5f69.740c@mx.google.com> <[🔎] CAFoWM=9ao_DaOM8jazDk38jtGvKbOPc+iffuR17yETmpNf086A@mail.gmail.com> <[🔎] 4ee642f3.8d23cc0a.68b1.ffffb1cc@mx.google.com> <[🔎] CAFoWM=_nr7yXrebJOi45K=U_3jayPyndPpxAg==CenPunFQWjg@mail.gmail.com>

Thank You for Your time and answer, Kelly:

>>>Something like:
>>>netstat --inet -ap
>>>
>>>"--inet" so you are looking at network sockets rather than unix
>>>sockets, "-a" shows both established connections and listening
>>>processes, "-p" shows PID and process name.
>>
>> I have tried this but it did tell me what sends/receives packets...
>
>What do you mean? It certainly tells you what has a current
>connection, and what is listening. If there are no current connections
>it will not show anything, although you could maybe use -c to
>get it to repeat every second. It is true it does not show individual
>packets, but you don't need that to know what program is sending.
>What output do you get from it?

The problem is it does not tell me anything - being run under root
(sudo). This is all I get:

netstat --inet -ap -n

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name

:(

>> I have records from tcpdump as:
><snip>
>
>> So, here are several connections I see. Do You have an idea, How I
>> can identify which process relate to each record - may related to
>> port/protocol?
>
>The ones that mention localnet.domain are DNS queries
>ICMP6 is the IPv6 version of ICMP (Ping and other control messages)
>IGMP is used for multicast control
>and finally, 6881 is the port for BitTorrent

OK. But how I can find the processes IDs?

For I have closed all the user's network app.s - still the machine
connects to Internet - sends queries to DNS, bittorrent - while the
user does not ask for it any more.

So, I gonna find out who does all this work.

>Why tcpdump habitually uses a dot to separate the port number
>(or service name, like .domain) instead of the standard colon, I
>don't know.

That's OK - I recognize it. :)

>If you want to see the port number instead of the service name
>(e.g. 53 instead of domain), use the "-n" (numeric) option on
>tcpdump (and netstat for that matter). If you don't know a port
>number, google "port yyy".

Thanks again, Kelly.

Reply to:

Follow-Ups:
- Re: To detect proccess sending netpackets.
  - From: Joe <joe@jretrading.com>
- Re: To detect proccess sending netpackets.
  - From: Kelly Clowers <kelly.clowers@gmail.com>
- Re: To detect proccess sending netpackets.
  - From: Chris Davies <chris-usenet@roaima.co.uk>

References:
- To detect proccess sending netpackets.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: To detect proccess sending netpackets.
  - From: Kelly Clowers <kelly.clowers@gmail.com>
- Re: To detect proccess sending netpackets.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: To detect proccess sending netpackets.
  - From: Kelly Clowers <kelly.clowers@gmail.com>

Prev by Date: Strange disk performance issue
Next by Date: Re: aptitude autoupdating.
Previous by thread: Re: To detect proccess sending netpackets.
Next by thread: Re: To detect proccess sending netpackets.
Index(es):
- Date
- Thread