LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-03-2007, 02:07 AM   #1
pugsley
Member
 
Registered: May 2004
Location: Brisbane Australia
Distribution: SUSE10.1
Posts: 46

Rep: Reputation: 15
Unexplained UDP traffic - DNS lookup


I ran wireshark to see what traffic was happen on this box with the browswer shut down. I noticed a lot of traffic to the router for DNS lookups for a varity of sites. Not sure what is sending the DNS requests? Any ideas how to determine what application is doing this? The sites been looked up appear to be those that I may have looked at in an earlier session on firefox - is some sort of background refresh on DNS addresses happening.

Cheers

Extract from tcpdump follows:

15:59:02.724496 IP 192.168.2.74.21414 > 192.168.2.1.domain: 59079+ AAAA? forums.macosxhints.com. (40)
15:59:02.760738 IP 192.168.2.1.domain > 192.168.2.74.21414: 59079 0/1/0 (91)
15:59:02.761214 IP 192.168.2.74.21414 > 192.168.2.1.domain: 51205+ AAAA? forums.macosxhints.com.Belkin. (47)
15:59:02.776536 IP 192.168.2.1.domain > 192.168.2.74.21414: 51205 NXDomain 0/1/0 (122)
15:59:02.778289 IP 192.168.2.74.21414 > 192.168.2.1.domain: 23941+ A? forums.macosxhints.com. (40)
15:59:02.822368 IP 192.168.2.1.domain > 192.168.2.74.21414: 23941 1/0/0 A[|domain]
 
Old 06-03-2007, 11:36 AM   #2
dburnett77
LQ Newbie
 
Registered: Jun 2007
Location: Middle TN, USA
Distribution: Ubuntu Gutsy Gibson &/ Sabayon 3.4e
Posts: 16

Rep: Reputation: 0
Try EtherApe. It will show which IP is accessing what protocol. You can then block them.

When running EtherApe, select "any" Interface, and open the Protocol window. This is quite handy to determine the level of "access" you are undergoing.
 
Old 06-04-2007, 06:49 AM   #3
pugsley
Member
 
Registered: May 2004
Location: Brisbane Australia
Distribution: SUSE10.1
Posts: 46

Original Poster
Rep: Reputation: 15
Thanks for the reply - The PC doing the lookup is a local machine - this one in fact. I suspect a background process but cannot find anything out of order / unexpected. Need a way of linking process with network traffic - any suggestions?
 
Old 06-04-2007, 06:52 AM   #4
dburnett77
LQ Newbie
 
Registered: Jun 2007
Location: Middle TN, USA
Distribution: Ubuntu Gutsy Gibson &/ Sabayon 3.4e
Posts: 16

Rep: Reputation: 0
Try a network monitoring program, aka packet sniffer. I like Wireshark, because it has a good GUI, and can get as complicated as you want.

Fire it up, and log all of the traffic. It will show you what exactly is being requested. And what is getting transferred.

Also, if you can recreate the circumstance which causes this behaviour, you could have "System Monitor" running, and check the active processes to see which one might crop up as being active when this happens. If it is something hidden, it may show.

06042007--Just realized you said you already ran wireshark. Try this, clear your cache in Firefox. Set the size to 0. Then resize again, and watch your processes. Which ever one fires up, that's most likely your culprit.

Also, in your system admintrator's menu, there's a "Network Tools" section.
Under the _Netstat_ option (also command line mode) there is a routing info. dialog. For example, my neighbor runs 169.254.0.0 on me, and he's very feisty at letting others come on in. This is rather easy to scramble, as the main goal seems to be one of a limiting nature, and I don't have total interruption of service.

Last edited by dburnett77; 06-04-2007 at 09:31 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
kernel and multicast udp traffic zeebu Linux - Networking 5 06-02-2007 10:22 AM
Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS, and DNS Records Lookup netoknet General 1 05-09-2005 04:43 AM
Rehat machine won't do dns lookup via udp Ross Clement Linux - Networking 3 10-22-2003 03:12 PM
unexplained traffic jarod Linux - Security 3 08-11-2003 11:31 AM
unexplained Mandrake 8.2 traffic mr.moto Linux - Networking 6 08-27-2002 02:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration