Security Basics mailing list archives

how to trace what is accessing the nic ?

From: "Bonmariage, Serge" <serge.bonmariage () GETRONICS com>
Date: Fri, 22 Apr 2005 15:45:04 +0200

Hi everyone,

There is happening something very strange on one of our Linux SMTP
gateway.
We've recently discovered that it is sending some strange TCP packets to
always the same private address.

[root@server1 root]# tcpdump -i eth0 
tcpdump: listening on eth0
14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
0,nop,wscale 0> (DF)
14:29:53.222040 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
0,nop,wscale 0> (DF)
14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
0,nop,wscale 0> (DF)

However we don't detect any other abnormal acvtivity.

The question is quite basic but is there a way to trace which process is
trying to send these packets?

Thanks,

Serge Bonmariage
Getronics Belgium NV
www.getronics.com

Current thread:

how to trace what is accessing the nic ? Bonmariage, Serge (Apr 22)
- RE: how to trace what is accessing the nic ? Burton Strauss (Apr 25)
- Re: how to trace what is accessing the nic ? Andreas Putzo (Apr 25)
- <Possible follow-ups>
- RE: how to trace what is accessing the nic ? Joshua Berry (Apr 25)
- Re: how to trace what is accessing the nic ? H Carvey (Apr 25)
- RE: how to trace what is accessing the nic ? Bonmariage, Serge (Apr 25)
- RE: how to trace what is accessing the nic ? Simon Li (Apr 25)