[PLUG] Ports and Processes
Christopher E. Brown
cbrown at woods.net
Fri Jul 26 22:57:24 UTC 2002
On Fri, 26 Jul 2002, Roderick A. Anderson wrote:
> On Fri, 26 Jul 2002, Shannon C. Dealy wrote:
>
> > Anyone got any ideas?
>
> I've seen all the other replies so I'll suggest ipchains/iptables. I
> can't offer an example but I swear there is an option to log activity.
> In fact I just checked and see a --log option. I've never tried it but it
> has been offered as a solution to me. (Turned out my problem was PEBKAC
> so I never had to use it. :-)
> Rod
If you can define the traffic enough to identify it, I assume you can
filter for it. It is simple enough to use tcpdump writing raw traffic
to a file (just make sure to increase snaplen enough to get the
*whole* packet w/ payload, not just the header).
If nothing else you can do a raw of all traffic on that interface.
Even assuming it is a raw TCP session examining the payload should
give you a good idea of the application. Reconstructing the full
bi-dir stream even more.
As mentioned in the thread, the BSD accounting option in the kernel
would be useful. grab the tools, and you get a nice timestamped log
of every proc including name, uid, walltime, cpu timer, etc. That
compared with timestamped tcpdump logs...
-- I route, therefore you are.
More information about the PLUG
mailing list