How to get a PID/name/path of a process that sends a network packet?
Clash Royale CLAN TAG#URR8PPP
We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables
log:
kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000
The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?
debian networking process nftables
|
show 5 more comments
We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables
log:
kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000
The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?
debian networking process nftables
A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?
– Kusalananda
Feb 6 at 9:49
No, it waswget
, but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged bynftables
, we would know how to target it.
– Mikhail Morfikov
Feb 6 at 9:52
You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.
– Kusalananda
Feb 6 at 9:55
1
You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There'sforkstat
in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.
– Uncle Billy
Feb 6 at 10:36
1
using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall
– A.B
Feb 6 at 20:02
|
show 5 more comments
We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables
log:
kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000
The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?
debian networking process nftables
We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables
log:
kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000
The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?
debian networking process nftables
debian networking process nftables
edited Feb 6 at 10:22
Kusalananda
133k17253416
133k17253416
asked Feb 6 at 9:41
Mikhail MorfikovMikhail Morfikov
4,475124472
4,475124472
A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?
– Kusalananda
Feb 6 at 9:49
No, it waswget
, but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged bynftables
, we would know how to target it.
– Mikhail Morfikov
Feb 6 at 9:52
You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.
– Kusalananda
Feb 6 at 9:55
1
You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There'sforkstat
in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.
– Uncle Billy
Feb 6 at 10:36
1
using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall
– A.B
Feb 6 at 20:02
|
show 5 more comments
A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?
– Kusalananda
Feb 6 at 9:49
No, it waswget
, but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged bynftables
, we would know how to target it.
– Mikhail Morfikov
Feb 6 at 9:52
You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.
– Kusalananda
Feb 6 at 9:55
1
You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There'sforkstat
in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.
– Uncle Billy
Feb 6 at 10:36
1
using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall
– A.B
Feb 6 at 20:02
A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?
– Kusalananda
Feb 6 at 9:49
A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?
– Kusalananda
Feb 6 at 9:49
No, it was
wget
, but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables
, we would know how to target it.– Mikhail Morfikov
Feb 6 at 9:52
No, it was
wget
, but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables
, we would know how to target it.– Mikhail Morfikov
Feb 6 at 9:52
You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.
– Kusalananda
Feb 6 at 9:55
You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.
– Kusalananda
Feb 6 at 9:55
1
1
You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's
forkstat
in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.– Uncle Billy
Feb 6 at 10:36
You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's
forkstat
in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.– Uncle Billy
Feb 6 at 10:36
1
1
using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall
– A.B
Feb 6 at 20:02
using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall
– A.B
Feb 6 at 20:02
|
show 5 more comments
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499002%2fhow-to-get-a-pid-name-path-of-a-process-that-sends-a-network-packet%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499002%2fhow-to-get-a-pid-name-path-of-a-process-that-sends-a-network-packet%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?
– Kusalananda
Feb 6 at 9:49
No, it was
wget
, but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged bynftables
, we would know how to target it.– Mikhail Morfikov
Feb 6 at 9:52
You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.
– Kusalananda
Feb 6 at 9:55
1
You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's
forkstat
in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.– Uncle Billy
Feb 6 at 10:36
1
using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall
– A.B
Feb 6 at 20:02