unexplained Mandrake 8.2 traffic

mr.moto · 08-25-2002, 11:01 PM

netstat shows some kind of root process ( ports 1024 and below )

connecting to a foreign address of 0.0.0.0:*

its a udp packet

it connects for a second then disconnects

the local address port number increases each connect up to 1024
( 0.0.0.0:782 ) ( 0.0.0.0:789 )

there shouldn't be any servers on this system

its a stand alone dial up connection

Mandrake 8.2

What the heck is this ?

rohang · 08-26-2002, 02:43 AM

Have you tried using lsof (list open files) and looking for something that seems out of the ordinary?

KayJay · 08-26-2002, 03:55 AM

0.0.0.0 means all ip's
port 1024 udp is a reserved port
so find out what service u have running that can connect to every address

mr.moto · 08-26-2002, 11:54 PM

So is this process just spewing packets out onto the internet ?

My mission should be to hunt it down and kill it ?

I hate when that happens.

KayJay · 08-27-2002, 06:25 AM

try iptraf or tcpdump to see where those packages are going to
tcpdump is in your distro.. iptraf can be downloaded

manaskb · 08-27-2002, 01:29 PM

Here are the things that you can do to locate the source of the traffic:
1. use nmap ( or nmapfe ) to see if you have any strange udp sockets open.
2. use ethereal ( like tcpdump but has a very nice gui) to see these packets. You can set capture filter in ethereal.
3. You said that the source port keeps changing, see this document http://www.iana.org/assignments/port-numbers , you may be able to identify the source application.

Lets see what step 1 and step 2 shows.
Thanks,
Manas

unSpawn · 08-27-2002, 01:58 PM

netstat -anp gives you the usuall address stuff with the PID (-p) and the process name, then look up the PID with ps make sure the process name is correct, and there's yer culprit.