HPE Community
Operating System - HP-UX
1834737 Members
3029 Online
110070 Solutions
New Discussion

How do I find process that is sending outgoing packets?

 
SOLVED
Go to solution
B. Chapman
Frequent Advisor

‎03-10-2005 09:51 AM

‎03-10-2005 09:51 AM

How do I find process that is sending outgoing packets?

Admins,

My Net/Security admin says that I have something going OUT of my system that's attempting communication to an unknown host. Not sure what tool he's using to trap the packets, but here's what he sent me:

Number: 17342

Date: 10Mar2005

Time: 16:02:26

Service: https (443)

Source: profit14.cc.telcordia.com (128.96.28.14)

Destination: 10.8.137.9

Protocol: tcp

Rule: 131

Source Port: 49830



Number: 22326

Date: 10Mar2005

Time: 16:03:12

Service: https (443)

Source: profit14.cc.telcordia.com (128.96.28.14)

Destination: 10.8.137.9

Protocol: tcp

Rule: 131

Source Port: 49830



My question - what commands/tools can I use to find the offending process?

Thanks in advance...

Later,
Ben Chapman
bchapman@telcordia.com
0 Kudos
3 REPLIES 3
John Payne_2
Honored Contributor

‎03-10-2005 10:13 AM

‎03-10-2005 10:13 AM

Solution

Re: How do I find process that is sending outgoing packets?

A tool to use is lsof. (I'd say THE tool, really.) It can be found at the porting center: http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/lsof-4.71/

lsof -i @10.8.137.9

This will list all processes with traffic out to this address in the following format:

Host1: /# lsof -i tcp:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

sshd 849 root 4u inet 0x48293c68 0t0 TCP *:ssh (LISTEN)

sshd: 3120 root 5u inet 0x5798e668 0t4617360 TCP host1.byu.edu:ssh-> host2.byu.edu:36408 (ESTABLISHED)

sshd: 12337 root 5u inet 0x60903c68 0t643716 TCP host1.byu.edu:ssh-> 10.0.2.106:1144 (ESTABLISHED)

You will then have the command and pid of the offender.

By the way, it's not all that good of an idea to post your real hostname and address on the net. (Just change them before you post...)

Hope it helps

John
Spoon!!!!
0 Kudos
Biswajit Tripathy
Honored Contributor

‎03-10-2005 10:25 AM

‎03-10-2005 10:25 AM

Re: How do I find process that is sending outgoing packets?

As John already suggested, lsof is the application you
should use.

Note that both the outgoing packets were sent from
same source port (49830) about a minute apart. So
my guess is, if you grep for 49830 in the lsof output,
the application must still be using that port and should
show up in the output.

- Biswajit
:-)
0 Kudos
B. Chapman
Frequent Advisor

‎03-10-2005 10:28 AM

‎03-10-2005 10:28 AM

Re: How do I find process that is sending outgoing packets?

Many thanks to both... And you're absolutely right about using my hostnames and such (too late now!) It's been a long day...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.