Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-03-2007, 02:07 AM
|
#1
|
Member
Registered: May 2004
Location: Brisbane Australia
Distribution: SUSE10.1
Posts: 46
Rep:
|
Unexplained UDP traffic - DNS lookup
I ran wireshark to see what traffic was happen on this box with the browswer shut down. I noticed a lot of traffic to the router for DNS lookups for a varity of sites. Not sure what is sending the DNS requests? Any ideas how to determine what application is doing this? The sites been looked up appear to be those that I may have looked at in an earlier session on firefox - is some sort of background refresh on DNS addresses happening.
Cheers
Extract from tcpdump follows:
15:59:02.724496 IP 192.168.2.74.21414 > 192.168.2.1.domain: 59079+ AAAA? forums.macosxhints.com. (40)
15:59:02.760738 IP 192.168.2.1.domain > 192.168.2.74.21414: 59079 0/1/0 (91)
15:59:02.761214 IP 192.168.2.74.21414 > 192.168.2.1.domain: 51205+ AAAA? forums.macosxhints.com.Belkin. (47)
15:59:02.776536 IP 192.168.2.1.domain > 192.168.2.74.21414: 51205 NXDomain 0/1/0 (122)
15:59:02.778289 IP 192.168.2.74.21414 > 192.168.2.1.domain: 23941+ A? forums.macosxhints.com. (40)
15:59:02.822368 IP 192.168.2.1.domain > 192.168.2.74.21414: 23941 1/0/0 A[|domain]
|
|
|
06-03-2007, 11:36 AM
|
#2
|
LQ Newbie
Registered: Jun 2007
Location: Middle TN, USA
Distribution: Ubuntu Gutsy Gibson &/ Sabayon 3.4e
Posts: 16
Rep:
|
Try EtherApe. It will show which IP is accessing what protocol. You can then block them.
When running EtherApe, select "any" Interface, and open the Protocol window. This is quite handy to determine the level of "access" you are undergoing.
|
|
|
06-04-2007, 06:49 AM
|
#3
|
Member
Registered: May 2004
Location: Brisbane Australia
Distribution: SUSE10.1
Posts: 46
Original Poster
Rep:
|
Thanks for the reply - The PC doing the lookup is a local machine - this one in fact. I suspect a background process but cannot find anything out of order / unexpected. Need a way of linking process with network traffic - any suggestions?
|
|
|
06-04-2007, 06:52 AM
|
#4
|
LQ Newbie
Registered: Jun 2007
Location: Middle TN, USA
Distribution: Ubuntu Gutsy Gibson &/ Sabayon 3.4e
Posts: 16
Rep:
|
Try a network monitoring program, aka packet sniffer. I like Wireshark, because it has a good GUI, and can get as complicated as you want.
Fire it up, and log all of the traffic. It will show you what exactly is being requested. And what is getting transferred.
Also, if you can recreate the circumstance which causes this behaviour, you could have "System Monitor" running, and check the active processes to see which one might crop up as being active when this happens. If it is something hidden, it may show.
06042007--Just realized you said you already ran wireshark. Try this, clear your cache in Firefox. Set the size to 0. Then resize again, and watch your processes. Which ever one fires up, that's most likely your culprit.
Also, in your system admintrator's menu, there's a "Network Tools" section.
Under the _Netstat_ option (also command line mode) there is a routing info. dialog. For example, my neighbor runs 169.254.0.0 on me, and he's very feisty at letting others come on in. This is rather easy to scramble, as the main goal seems to be one of a limiting nature, and I don't have total interruption of service.
Last edited by dburnett77; 06-04-2007 at 09:31 AM.
|
|
|
All times are GMT -5. The time now is 04:39 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|