How to get a PID/name/path of a process that sends a network packet?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables log:



kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000


The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?










share|improve this question
























  • A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?

    – Kusalananda
    Feb 6 at 9:49












  • No, it was wget , but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables, we would know how to target it.

    – Mikhail Morfikov
    Feb 6 at 9:52












  • You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.

    – Kusalananda
    Feb 6 at 9:55






  • 1





    You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's forkstat in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.

    – Uncle Billy
    Feb 6 at 10:36






  • 1





    using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall

    – A.B
    Feb 6 at 20:02















2















We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables log:



kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000


The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?










share|improve this question
























  • A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?

    – Kusalananda
    Feb 6 at 9:49












  • No, it was wget , but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables, we would know how to target it.

    – Mikhail Morfikov
    Feb 6 at 9:52












  • You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.

    – Kusalananda
    Feb 6 at 9:55






  • 1





    You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's forkstat in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.

    – Uncle Billy
    Feb 6 at 10:36






  • 1





    using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall

    – A.B
    Feb 6 at 20:02













2












2








2








We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables log:



kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000


The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?










share|improve this question
















We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables log:



kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000


The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?







debian networking process nftables






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 6 at 10:22









Kusalananda

133k17253416




133k17253416










asked Feb 6 at 9:41









Mikhail MorfikovMikhail Morfikov

4,475124472




4,475124472












  • A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?

    – Kusalananda
    Feb 6 at 9:49












  • No, it was wget , but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables, we would know how to target it.

    – Mikhail Morfikov
    Feb 6 at 9:52












  • You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.

    – Kusalananda
    Feb 6 at 9:55






  • 1





    You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's forkstat in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.

    – Uncle Billy
    Feb 6 at 10:36






  • 1





    using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall

    – A.B
    Feb 6 at 20:02

















  • A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?

    – Kusalananda
    Feb 6 at 9:49












  • No, it was wget , but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables, we would know how to target it.

    – Mikhail Morfikov
    Feb 6 at 9:52












  • You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.

    – Kusalananda
    Feb 6 at 9:55






  • 1





    You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's forkstat in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.

    – Uncle Billy
    Feb 6 at 10:36






  • 1





    using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall

    – A.B
    Feb 6 at 20:02
















A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?

– Kusalananda
Feb 6 at 9:49






A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits?

– Kusalananda
Feb 6 at 9:49














No, it was wget , but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables, we would know how to target it.

– Mikhail Morfikov
Feb 6 at 9:52






No, it was wget , but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by nftables, we would know how to target it.

– Mikhail Morfikov
Feb 6 at 9:52














You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.

– Kusalananda
Feb 6 at 9:55





You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on.

– Kusalananda
Feb 6 at 9:55




1




1





You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's forkstat in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.

– Uncle Billy
Feb 6 at 10:36





You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's forkstat in debian which is kind of a (quite unsatisfactory) sample program using the proc connector.

– Uncle Billy
Feb 6 at 10:36




1




1





using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall

– A.B
Feb 6 at 20:02





using auditd: Using Auditd to Monitor Network Connections - LinkedIn (on SF:) Finding short-lived TCP connections owner process. using NFQUEUE +(usual) /proc : Leopard Flower firewall

– A.B
Feb 6 at 20:02










0






active

oldest

votes











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499002%2fhow-to-get-a-pid-name-path-of-a-process-that-sends-a-network-packet%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499002%2fhow-to-get-a-pid-name-path-of-a-process-that-sends-a-network-packet%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?