Security Basics mailing list archives
RE: how to trace what is accessing the nic ?
From: "Joshua Berry" <jberry () PENSON COM>
Date: Fri, 22 Apr 2005 13:38:20 -0500
Yeah, you can do a netstat -anp which will show you all connections, will not do the dns lookup and will show you the process associated with that program. Or, if you have lsof on your system you could run: lsof -i tcp. Also, it would be good if you dump the application level traffic, I usually do something like: tcpdump -i eth0 -vvvttttnnexXs 1500 This will put it in verbose mode, give you the timestamp, avoid dns lookups, show the MAC addresses, display the data in ASCII and HEX, and increase the amount of data you are looking at. --- Josh Berry | CISSP GCIA Information Security 214-765-1296 -----Original Message----- From: Bonmariage, Serge [mailto:serge.bonmariage () GETRONICS com] Sent: Friday, April 22, 2005 8:45 AM To: security-basics () securityfocus com Subject: how to trace what is accessing the nic ? Hi everyone, There is happening something very strange on one of our Linux SMTP gateway. We've recently discovered that it is sending some strange TCP packets to always the same private address. [root@server1 root]# tcpdump -i eth0 tcpdump: listening on eth0 14:29:50.226313 server1.mysite.com.59806 > 192.168.234.236.5860: S 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853393 0,nop,wscale 0> (DF) 14:29:53.222040 server1.mysite.com.59806 > 192.168.234.236.5860: S 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658853693 0,nop,wscale 0> (DF) 14:29:59.222028 server1.mysite.com.59806 > 192.168.234.236.5860: S 312929991:312929991(0) win 5840 <mss 1460,sackOK,timestamp 1658854293 0,nop,wscale 0> (DF) However we don't detect any other abnormal acvtivity. The question is quite basic but is there a way to trace which process is trying to send these packets? Thanks, Serge Bonmariage Getronics Belgium NV www.getronics.com
Current thread:
- how to trace what is accessing the nic ? Bonmariage, Serge (Apr 22)
- RE: how to trace what is accessing the nic ? Burton Strauss (Apr 25)
- Re: how to trace what is accessing the nic ? Andreas Putzo (Apr 25)
- <Possible follow-ups>
- RE: how to trace what is accessing the nic ? Joshua Berry (Apr 25)
- Re: how to trace what is accessing the nic ? H Carvey (Apr 25)
- RE: how to trace what is accessing the nic ? Bonmariage, Serge (Apr 25)
- RE: how to trace what is accessing the nic ? Simon Li (Apr 25)