Reputation: 624
Capture pid of process using port 6881 only once every 15 min
I can see from a tcpdump that an internal linux server is trying to contact an outside computer approximately every 15 min: one udp-packet on port 6881 (bittorrent), that's all.
As this server isn't supposed to contact anyone, I want to find out what evil soul generated this packet, i.e. I need some information about the process (e.g. pid, file, ...).
Because the timespan is so short, I can't use netstat or lsof.
The process is likely to be active about half of a microsecond, then it gets a destination unreachable (port unreachable) from firewall.
I have ssh access to the machine.
How can I capture network packets per PID? suggests to use the tcpdump option -k, however, linux tcpdump has no such option.
Upvotes: 1
Views: 869
Answers (2)
Reputation: 760
You can do that with ptcpdump:
$ sudo ptcpdump -i any -c 2 port 80
2024/05/18 15:07:26 capturing...
15:07:32.109948 wlp4s0 Out IP (tos 0x0, ttl 64, id 19758, offset 0, flags [DF], ip_proto TCP (6), length 60)
192.168.1.50.48282 > 104.18.32.7.80: Flags [S], cksum 0x4a22, seq 638565084, win 64240, options [mss 1460,sackOK,TS val 3459351264 ecr 0,nop,wscale 7], length 0
Process (pid 1674620, cmd /usr/bin/curl, args curl stackoverflow.com)
15:07:32.520880 wlp4s0 In IP (tos 0x4, ttl 53, id 0, offset 0, flags [DF], ip_proto TCP (6), length 60)
104.18.32.7.80 > 192.168.1.50.48282: Flags [S.], cksum 0x56a1, seq 3079891173, ack 638565085, win 65160, options [mss 1400,sackOK,TS val 3122651013 ecr 3459351264,nop,wscale 13], length 0
Process (pid 1674620, cmd /usr/bin/curl, args curl stackoverflow.com)
2 packets captured
3 packets received by filter
0 packets dropped by kernel
Upvotes: 1
Reputation: 16381
You can't do this with TCPDump, obviously, but you can do this from the host itself. Especially since it's UDP with no state, and since you can't predict when the process will be listening, you should look into using the kernel audit capabilities. For example:
auditctl -a exit,always -F arch=b64 -F a0=2 -F a1\&=2 -S socket -k SOCKET
This instructs the kernel to generate an audit event whenever there is a socket call. With this done, you can then wait until you see the suspicious packet leave the machine and then use ausearch to track down not only the process, but the binary that made the call.
Upvotes: 1
Related Questions
- Find the PID of a process that uses a port on Windows
- How to schedule tcpdump to run for a specific period of time?
- tcpdump option to find process initiate communication
- Determine the process pid listening on a certain port
- Finding TCP connections with pids
- Monitoring multiple ports in tcpdump
- Find pid of a process while its rinning on background
- Listening a port constantly
- How to get the pid of a process that is listening on a certain port programmatically?
- how to timeout periodically in libpcap packet receiving functions