On Friday 20 Jan 2012 23:34:12 Grant wrote: > >>>> >> My firewall is blocking periodic outbound connections to port 3680 > >>>> >> on a Rackspace IP. How can I find out more about what's going on? > >>>> >> Maybe which program is generating the connection requests? > >>>> > > >>>> > Uh, a packet sniffer? > >>>> > > >>>> > I have an old laptop here that I have a second (cardbus) network > >>>> > card in. Really cheap and cheerful - the sort of thing you can pick > >>>> > up on freecycle. It's been a while since I've done anything like > >>>> > this, but you should be able to stick a box like that between the > >>>> > router and the rest of your network, run Wireshark and filter on > >>>> > that port. If the connection is encrypted then at least you'll see > >>>> > the originating IP. > >>>> > >>>> I've actually got the originating local IP from the shorewall log. > >>>> I'm just trying to figure out which program and maybe which user on > >>>> that system is generating the outbound requests to port 3680. Is > >>>> there any way to get more info without setting up a new box? > >>>> > >>>> > I don't think it's relevant that the IP belongs to Rackspace - don't > >>>> > they just hire (virtual) servers to anyone that wants one? > >>>> > >>>> Yeah I just meant the request could be going to "anyone". > >>>> > >>>> - Grant > >>> > >>> Are you running NPDS in your LAN and is it configured to access any > >>> sites on rackspace? > >>> -- > >>> Regards, > >>> Mick > >> > >> I am not running NPDS. I looked it up when I was researching port > >> 3680 and read about it for the first time. I know which machine is > >> making the requests. Any way to drill down further? > > > > If the machine is running linux, then 'watch "lsof -n|grep TCP|grep > > 3680"' as root is a sloppy but effective way to find it. There's > > probably some way to set up a firewall rule on the host in question > > that logs out the user and (possibly) PID of the connection, but I > > don't know. > > All of my systems run Gentoo. :) Where does watch come from? > > - Grant
ps axf and look at the tree that contains the PID of what lsof | grep 3680 showed. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.