LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-03-2014, 07:42 AM   #1
khuongdp
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Rep: Reputation: 0
which process sent request to a specific port


Hi

We have some weird request on a specific port 16009 (should not be used). We want to find out what is calling on that port. From tcpdump we can see the request is coming localhost with some source port.

The question is how can i get the process (pid) that is calling port 16009. What about tcpdump/netstat/lsof/ss?
The request come every 4 hour so we want to output to a file so we can investigate later.

What about something like this:
ss -etp | grep '16009'

Last edited by khuongdp; 11-03-2014 at 10:37 AM.
 
Old 11-03-2014, 08:24 AM   #2
grubby
LQ Newbie
 
Registered: Oct 2014
Distribution: Centos 6.5
Posts: 16

Rep: Reputation: Disabled
I would expect a

netstat -tulpen | grep 16009

should show you an ESTABLISHED connection when that happens. Last column tell you the PID and program name.


I would also do a

lsof | grep 16009

and see what pops up.
 
Old 11-03-2014, 10:41 AM   #3
khuongdp
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
This problem is that I don't know when the request come. Can I wait and only log (to file) when some process is calling port 16009 or should I just call it every seconds

watch -n1 'netstat -tulpen | grep 16009 > output'
 
Old 11-03-2014, 11:03 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by khuongdp View Post
The request come every 4 hour so we want to output to a file so we can investigate later.
Sounds like a cron or maybe a logrotate schedule.
How about installing and running iptraf?
or
terminal >
Code:
screen
tcpdump -nn -i eth0 port 16009 -w myfile.pcap
and detach from the screen and check it in 4+ hours.

See http://www.tecmint.com/real-time-int...h-iptraf-tool/ for tips.

Last edited by Habitual; 11-03-2014 at 11:07 AM.
 
Old 11-03-2014, 11:18 AM   #5
khuongdp
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Can iptraf tell me the process id (pid)? Because I already know from tcpdump that the source is localhost
 
Old 11-05-2014, 10:30 AM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
It seems iptraf does only ports, not PIDs.
Have you checked /var/log/* for the appropriate time period?

You could try this:
run
Code:
screen
and then
Code:
sudo su -
and enter your password
in screen as root run
Code:
while true; do netstat -plaunt  | grep 16009 ; done > /home/khuongdp/watchme.out
then disconnect the screen using Ctrl+A+D
NOTE: If you use a terminal on your desktop, you will have to leave it open for the duration of this capture.

and wait for 4+ hours to go by.
if port 16009 doesn't "open" then the /home/khuongdp/watchme.out file will remain empty.
When it does open the file will not be 0 bytes.

when you have something in the file, in terminal run
Code:
sudo killall -9 screen
and examine the file (it will be owned by root, so
Code:
sudo chown khuongdp. /home/khuongdp/watchme.out
first, then you can cat it for details.

I'm sure there's a much easier way, but it escapes me at the moment.

I hope that helps.

Please let us know.

Last edited by Habitual; 11-05-2014 at 10:31 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Which process or who did kill specific process mayar Linux - Server 3 08-11-2014 12:45 AM
How to kill the process running on specific port in linux rajaniyer123 Linux - General 2 12-01-2009 05:35 PM
how to request a specific ip address with dhclient hypexr Linux - Networking 4 09-15-2005 10:07 PM
specific distro advice request daveoily Linux - Distributions 2 09-04-2005 05:09 PM
request for VL specific security info aus9 VectorLinux 1 12-11-2003 05:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration