Security Basics mailing list archives
RE: how to trace what is accessing the nic ?
From: "Rochford, Paul" <paul.rochford () hp com>
Date: Wed, 4 May 2005 13:56:18 +0100
Just run tcpdump on your server for the destination address and capture what is being sent. A simple 'tcpdump dst host 192.168.234.236' should do it. This will print to the screen. To dump to a file add '-w output.txt' at the end. You will need to do a 'tcpdump -r output.txt' to read the file back in for viewing afterwards. Kind Regards, Paul Rochford -----Original Message----- From: Balaji Prasad [mailto:bpmlist () sonic net] Sent: Saturday, April 30, 2005 5:13 PM To: security-basics () securityfocus com Subject: Re: how to trace what is accessing the nic ? One simple way is to use the linux command "lsof" and filter for port 59806 (your source port). It should list out the program(s) that are opening/listening on the socket. - Balaji #> Bonmariage, Serge#>
Hi everyone, There is happening something very strange on one of our Linux SMTP gateway. We've recently discovered that it is sending some strange TCP packets to always the same private address. [root@server1 root]# tcpdump -i eth0 tcpdump: listening on eth0 14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393 0,nop,wscale 0> (DF) 14:29:53.222040 server1.mysite.com.59806 > 192.168.234.236.5860: S 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693 0,nop,wscale 0> (DF) 14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293 0,nop,wscale 0> (DF) However we don't detect any other abnormal acvtivity. The question is quite basic but is there a way to trace which process is trying to send these packets? Thanks, Serge Bonmariage Getronics Belgium NV www.getronics.com
Current thread:
- Re: how to trace what is accessing the nic ? Balaji Prasad (May 02)
- <Possible follow-ups>
- RE: how to trace what is accessing the nic ? Rochford, Paul (May 05)