LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-03-2004, 12:52 PM   #1
mattmiller
LQ Newbie
 
Registered: Aug 2004
Distribution: Debian
Posts: 4

Rep: Reputation: 0
How to know which program is accessing the Internet.


I start my ppp connection as follows:

pppd call provider demand idle 300

The purpose is to allow users to connect on demand, and for the system to then drop the connection after 5 minutes of inactivity. The problem is that something is periodically initiating a connection when no users are logged in. How can I find out what is doing this?

I'm using debian sarge.
 
Old 08-03-2004, 01:48 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 67
Try running:
netstat -anp

This is likely to give you a lot of results but you can narrow it down a lot by running a tcpdump to see which ports are being accessed. You can then grep the netstat output for the port/ip address given by tcpdump.
 
Old 08-03-2004, 03:00 PM   #3
mattmiller
LQ Newbie
 
Registered: Aug 2004
Distribution: Debian
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks, the 'netstat -anp' command looks like what I need. However, the
output of this command is the same before and after the rogue ppp
connection has been established.

If I 'ping' some site and then run 'netstat -anp' I do see the 'ping'
program listed in the netstat output. So, it looks like the netstat
command is the right thing to do. Why, then, would the program
responsible for the unwanted ppp connection not show itself?
 
Old 08-03-2004, 03:34 PM   #4
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 67
The item probably is showing. That's why I suggested using tcpdump to find out which ports and ip addresses are being connected to. You can then cross reference that with the netstat output.
In the case of me connecting to LQ:
Code:
root - Tue Aug 03 21:29:59
/home/rossy> tcpdump -n
tcpdump: listening on eth0
21:30:35.675872 10.100.10.10.33498 > 64.179.4.149.80: P 3814982933:3814984371(1438) ack 3847634390 win 6432 <nop,nop,timestamp 9262450 950675> (DF)
21:30:35.677627 64.179.4.149.80 > 10.100.10.10.33498: . ack 1438 win 11584 <nop,nop,timestamp 955058 9262450> (DF)
21:30:36.771092 64.179.4.149.80 > 10.100.10.10.33498: . 1:1449(1448) ack 1438 win 11584 <nop,nop,timestamp 955167 9262450> (DF)
I can see the remote IP is "64.179.4.149". I then check with netstat:
Code:
root - Tue Aug 03 21:32:03
/home/rossy> netstat -anp | grep "64.179.4.149"
tcp        0      0 10.100.10.10:33508      64.179.4.149:80         ESTABLISHED 1562/firefox-bin
Voila, you can see that firefox is indeed making the connection. The local client port should be the same if it is a persistent connection but because I ran the commands a little appart and had to refresh the page you will notice that in tcpdump the local post was "33498" and in netstat it was "33508".

Last edited by david_ross; 08-03-2004 at 03:35 PM.
 
Old 08-04-2004, 01:49 PM   #5
mattmiller
LQ Newbie
 
Registered: Aug 2004
Distribution: Debian
Posts: 4

Original Poster
Rep: Reputation: 0
Hmm... I definitely don't see 'netstat -anp' showing me anything different
before, during, or after establishing of the unwanted connection. I
redirected the netstat output to files and 'diff'ed the files. They were
all identical. tcpdump definitely shows activity, but I can't see how to
get the program name from that.

Maybe part of the problem is that the machine with the modem hooked
to it is a gateway on a LAN and maybe another machine on the LAN is
requesting the connection.

I'll keep poking around...
 
Old 08-04-2004, 02:09 PM   #6
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 67
I'm not sure you are understanding what I am saying - the netstat output may not change. That is the reason for using tcpdump.
 
Old 08-05-2004, 02:08 PM   #7
mattmiller
LQ Newbie
 
Registered: Aug 2004
Distribution: Debian
Posts: 4

Original Poster
Rep: Reputation: 0
Okay, thanks for being patient. I was stuck on the idea that tcpdump
was just for filtering my netstat output. Since my netstat output is small
I figured I didn't need tcpdump.

When I run tcpdump I see activity stir as the rogue connection initiates,
but I don't see that output pointing me to any particular line in my netstat
output.

Here is a 'script' of tcpdump as the connection starts and for a few seconds
afterward:

Code:
Script started on Thu Aug  5 11:17:45 2004
debian3:/home/mmiller# pon
debian3:/home/mmiller# pontcpdump -n -i ppp0tcpdump -n -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
11:20:14.013287 IP 10.64.64.64.32863 > 209.244.0.3.53:  53675+ AAAA? debian. (24)
11:20:19.014370 IP 10.64.64.64.32864 > 209.244.0.4.53:  53675+ AAAA? debian. (24)
11:20:24.014943 IP 10.64.64.64.32863 > 209.244.0.3.53:  53675+ AAAA? debian. (24)
11:20:29.016146 IP 10.64.64.64.32864 > 209.244.0.4.53:  53675+ AAAA? debian. (24)
11:20:53.640407 IP 4.240.51.251.1073 > 209.244.0.3.53:  59610+ AAAA? debian3. (25)
11:20:53.805745 IP 209.244.0.3.53 > 4.240.51.251.1073:  59610 NXDomain 0/1/0 (100)
11:20:55.465780 IP 218.170.54.45.4794 > 4.240.51.251.445: S 959094122:959094122(0) win 16384 <mss 1440,nop,nop,sackOK>
11:20:58.375797 IP 218.170.54.45.4794 > 4.240.51.251.445: S 959094122:959094122(0) win 16384 <mss 1440,nop,nop,sackOK>
11:21:01.645751 IP 63.215.26.146 > 224.0.0.1: igmp query v2
11:21:04.345768 IP 218.170.54.45.4794 > 4.240.51.251.445: S 959094122:959094122(0) win 16384 <mss 1440,nop,nop,sackOK>
11:21:11.645784 IP 63.215.26.146 > 224.0.0.1: igmp query v2
11:21:21.645807 IP 63.215.26.146 > 224.0.0.1: igmp query v2
11:21:44.965914 IP 4.240.90.11 > 4.240.51.251: icmp 8: echo request seq 60637
11:21:51.655947 IP 63.215.26.146 > 224.0.0.1: igmp query v2
11:21:54.517850 IP 4.240.51.251.32864 > 209.244.0.3.53:  57582+ AAAA? debian. (24)
11:21:54.665955 IP 209.244.0.3.53 > 4.240.51.251.32864:  57582 NXDomain 0/1/0 (99)
11:22:01.516021 IP 81.226.131.165.3480 > 4.240.51.251.445: S 1489231286:1489231286(0) win 64240 <mss 1460,nop,nop,sackOK>
11:22:21.666051 IP 63.215.26.146 > 224.0.0.1: igmp query v2
11:22:34.336168 IP 4.10.225.234.1181 > 4.240.51.251.135: S 893852055:893852055(0) win 64240 <mss 1460,nop,nop,sackOK>
11:22:37.106098 IP 4.10.225.234.1181 > 4.240.51.251.135: S 893852055:893852055(0) win 64240 <mss 1460,nop,nop,sackOK>
11:22:51.676167 IP 63.215.26.146 > 224.0.0.1: igmp query v2

21 packets captured
21 packets received by filter
0 packets dropped by kernel
debian3:/home/mmiller# poff
debian3:/home/mmiller# 
Script done on Thu Aug  5 11:23:00 2004
Now here's a netstat script generated at the same time. I just kept re-executing the netstat
command, once before the connection started and a few times after. I'm not seeing any useful
foreign address info.

Code:
Script started on Thu Aug  5 11:18:02 2004
debian3:/home/mmiller# netstat.  -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:968             0.0.0.0:*               LISTEN     362/rpc.statd       
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     197/portmap         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     328/sshd            
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN     322/privoxy         
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     2201/exim4          
tcp        0      0 192.168.1.3:22          192.168.1.1:33099       ESTABLISHED3434/1              
tcp        0      0 192.168.1.3:22          192.168.1.1:33052       ESTABLISHED3416/sshd: mmiller  
udp        0      0 0.0.0.0:9               0.0.0.0:*                          316/inetd           
udp        0      0 0.0.0.0:962             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:965             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:111             0.0.0.0:*                          197/portmap         
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  5      [ ]         DGRAM                    10909    1938/syslogd        /dev/log
unix  2      [ ]         DGRAM                    14197    3474/pppd           
unix  2      [ ]         DGRAM                    13924    3419/0              
unix  3      [ ]         STREAM     CONNECTED     13923    3416/sshd: mmiller  
unix  3      [ ]         STREAM     CONNECTED     13922    3419/0              
unix  2      [ ]         DGRAM                    10802    1889/klogd          
unix  2      [ ]         DGRAM                    482      362/rpc.statd       
debian3:/home/mmiller# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:968             0.0.0.0:*               LISTEN     362/rpc.statd       
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     197/portmap         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     328/sshd            
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN     322/privoxy         
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     2201/exim4          
tcp        0      0 192.168.1.3:22          192.168.1.1:33099       ESTABLISHED3434/1              
tcp        0      0 192.168.1.3:22          192.168.1.1:33052       ESTABLISHED3416/sshd: mmiller  
udp        0      0 0.0.0.0:9               0.0.0.0:*                          316/inetd           
udp        0      0 0.0.0.0:962             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:965             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:111             0.0.0.0:*                          197/portmap         
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  5      [ ]         DGRAM                    10909    1938/syslogd        /dev/log
unix  2      [ ]         DGRAM                    14197    3474/pppd           
unix  2      [ ]         DGRAM                    13924    3419/0              
unix  3      [ ]         STREAM     CONNECTED     13923    3416/sshd: mmiller  
unix  3      [ ]         STREAM     CONNECTED     13922    3419/0              
unix  2      [ ]         DGRAM                    10802    1889/klogd          
unix  2      [ ]         DGRAM                    482      362/rpc.statd       
debian3:/home/mmiller# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:968             0.0.0.0:*               LISTEN     362/rpc.statd       
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     197/portmap         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     328/sshd            
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN     322/privoxy         
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     2201/exim4          
tcp        0      0 192.168.1.3:22          192.168.1.1:33099       ESTABLISHED3434/1              
tcp        0      0 192.168.1.3:22          192.168.1.1:33052       ESTABLISHED3416/sshd: mmiller  
udp        0      0 0.0.0.0:9               0.0.0.0:*                          316/inetd           
udp        0      0 0.0.0.0:962             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:965             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:111             0.0.0.0:*                          197/portmap         
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  5      [ ]         DGRAM                    10909    1938/syslogd        /dev/log
unix  2      [ ]         DGRAM                    14197    3474/pppd           
unix  2      [ ]         DGRAM                    13924    3419/0              
unix  3      [ ]         STREAM     CONNECTED     13923    3416/sshd: mmiller  
unix  3      [ ]         STREAM     CONNECTED     13922    3419/0              
unix  2      [ ]         DGRAM                    10802    1889/klogd          
unix  2      [ ]         DGRAM                    482      362/rpc.statd       
debian3:/home/mmiller# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:968             0.0.0.0:*               LISTEN     362/rpc.statd       
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     197/portmap         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     328/sshd            
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN     322/privoxy         
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     2201/exim4          
tcp        0      0 192.168.1.3:22          192.168.1.1:33099       ESTABLISHED3434/1              
tcp        0      0 192.168.1.3:22          192.168.1.1:33052       ESTABLISHED3416/sshd: mmiller  
udp        0      0 0.0.0.0:9               0.0.0.0:*                          316/inetd           
udp        0      0 0.0.0.0:962             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:965             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:111             0.0.0.0:*                          197/portmap         
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  5      [ ]         DGRAM                    10909    1938/syslogd        /dev/log
unix  2      [ ]         DGRAM                    14197    3474/pppd           
unix  2      [ ]         DGRAM                    13924    3419/0              
unix  3      [ ]         STREAM     CONNECTED     13923    3416/sshd: mmiller  
unix  3      [ ]         STREAM     CONNECTED     13922    3419/0              
unix  2      [ ]         DGRAM                    10802    1889/klogd          
unix  2      [ ]         DGRAM                    482      362/rpc.statd       
debian3:/home/mmiller# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:968             0.0.0.0:*               LISTEN     362/rpc.statd       
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN     316/inetd           
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN     197/portmap         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     328/sshd            
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN     322/privoxy         
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     2201/exim4          
tcp        0      0 192.168.1.3:22          192.168.1.1:33099       ESTABLISHED3434/1              
tcp        0      0 192.168.1.3:22          192.168.1.1:33052       ESTABLISHED3416/sshd: mmiller  
udp        0      0 0.0.0.0:9               0.0.0.0:*                          316/inetd           
udp        0      0 0.0.0.0:962             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:965             0.0.0.0:*                          362/rpc.statd       
udp        0      0 0.0.0.0:111             0.0.0.0:*                          197/portmap         
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  5      [ ]         DGRAM                    10909    1938/syslogd        /dev/log
unix  2      [ ]         DGRAM                    14197    3474/pppd           
unix  2      [ ]         DGRAM                    13924    3419/0              
unix  3      [ ]         STREAM     CONNECTED     13923    3416/sshd: mmiller  
unix  3      [ ]         STREAM     CONNECTED     13922    3419/0              
unix  2      [ ]         DGRAM                    10802    1889/klogd          
unix  2      [ ]         DGRAM                    482      362/rpc.statd       
debian3:/home/mmiller# 
Script done on Thu Aug  5 11:23:02 2004
 
Old 08-05-2004, 02:23 PM   #8
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 67
There doesn't seem to be anything in the netstat output although the tcpdump shows several dns requests. My guess is that something is requesting dns queries. Check what services you have running, some of them may be trying to lookup dns addresses for connecting clients. Some things that do this are mail servers, web servers and possible even samba.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help accessing the internet ubuntu_nig Ubuntu 6 10-07-2005 07:35 AM
Accessing the internet... TBomb Linux - Networking 7 07-24-2005 08:54 AM
Prevent program from accessing the internet penguinco Fedora 3 03-28-2005 07:21 AM
Hmmm...Accessing the environment from a C++ program. Maybe? Kroenecker Programming 7 09-29-2004 02:19 AM
how to check which program is currently accessing my harddisk demmylls Linux - General 1 02-10-2004 11:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration