[PLUG] Ports and Processes

Christopher E. Brown cbrown at woods.net
Fri Jul 26 22:57:24 UTC 2002


On Fri, 26 Jul 2002, Roderick A. Anderson wrote:

> On Fri, 26 Jul 2002, Shannon C. Dealy wrote:
>
> > Anyone got any ideas?
>
> I've seen all the other replies so I'll suggest ipchains/iptables.  I
> can't offer an example but I swear there is an option to log activity.
> In fact I just checked and see a --log option.  I've never tried it but it
> has been offered as a solution to me.  (Turned out my problem was PEBKAC
> so I never had to use it. :-)
> Rod


If you can define the traffic enough to identify it, I assume you can
filter for it.  It is simple enough to use tcpdump writing raw traffic
to a file (just make sure to increase snaplen enough to get the
*whole* packet w/ payload, not just the header).
If nothing else you can do a raw of all traffic on that interface.


Even assuming it is a raw TCP session examining the payload should
give you a good idea of the application.  Reconstructing the full
bi-dir stream even more.


As mentioned in the thread, the BSD accounting option in the kernel
would be useful.  grab the tools, and you get a nice timestamped log
of every proc including name, uid, walltime, cpu timer, etc.  That
compared with timestamped tcpdump logs...

 -- I route, therefore you are.





More information about the PLUG mailing list