RE: how to trace what is accessing the nic ?

["Joshua Berry" <jberry () PENSON COM>]

Yeah, you can do a netstat -anp which will show you all connections,
will not do the dns lookup and will show you the process associated with
that program.  Or, if you have lsof on your system you could run: lsof
-i tcp.  Also, it would be good if you dump the application level
traffic, I usually do something like:

tcpdump -i eth0 -vvvttttnnexXs 1500

This will put it in verbose mode, give you the timestamp, avoid dns
lookups, show the MAC addresses, display the data in ASCII and HEX, and
increase the amount of data you are looking at.


---
Josh Berry | CISSP GCIA 
Information Security
214-765-1296

-----Original Message-----
From: Bonmariage, Serge [mailto:serge.bonmariage () GETRONICS com] 
Sent: Friday, April 22, 2005 8:45 AM
To: security-basics () securityfocus com
Subject: how to trace what is accessing the nic ?

Hi everyone,

There is happening something very strange on one of our Linux SMTP
gateway.
We've recently discovered that it is sending some strange TCP packets to
always the same private address.

[root@server1 root]# tcpdump -i eth0 
tcpdump: listening on eth0
14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393
0,nop,wscale 0> (DF)
14:29:53.222040 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693
0,nop,wscale 0> (DF)
14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S
312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293
0,nop,wscale 0> (DF)

However we don't detect any other abnormal acvtivity.

The question is quite basic but is there a way to trace which process is
trying to send these packets?

Thanks,

Serge Bonmariage
Getronics Belgium NV
www.getronics.com