RE: how to trace what is accessing the nic ?

["Rochford, Paul" <paul.rochford () hp com>]

Just run tcpdump on your server for the destination address and capture
what is being sent. 

A simple 'tcpdump dst host 192.168.234.236' should do it. This will
print to the screen. To dump to a file add '-w output.txt' at the end.
You will need to do a 'tcpdump -r output.txt' to read the file back in
for viewing afterwards.


Kind Regards,
Paul Rochford 

-----Original Message-----
From: Balaji Prasad [mailto:bpmlist () sonic net] 
Sent: Saturday, April 30, 2005 5:13 PM
To: security-basics () securityfocus com
Subject: Re: how to trace what is accessing the nic ?

One simple way is to use the linux command "lsof" and filter for port
59806 (your source port). It should list out the program(s) that are
opening/listening on the socket.

- Balaji

#> Bonmariage, Serge#>
> Hi everyone,
>
> There is happening something very strange on one of our Linux SMTP 
> gateway.
> We've recently discovered that it is sending some strange TCP packets 
> to always the same private address.
>
> [root@server1 root]# tcpdump -i eth0
> tcpdump: listening on eth0
> 14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
> 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393 
> 0,nop,wscale 0> (DF) 14:29:53.222040 server1.mysite.com.59806 > 
> 192.168.234.236.5860: S
> 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693 
> 0,nop,wscale 0> (DF)
> 14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
> 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293 
> 0,nop,wscale 0> (DF)
>
> However we don't detect any other abnormal acvtivity.
>
> The question is quite basic but is there a way to trace which process 
> is trying to send these packets?
>
> Thanks,
>
> Serge Bonmariage
> Getronics Belgium NV
> www.getronics.com