>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep >> 3680"' as root is a sloppy but effective way to find it. There's >> probably some way to set up a firewall rule on the host in question >> that logs out the user and (possibly) PID of the connection, but I >> don't know. > > "lsof -i" is easier, it only shows network connections :) > > catching it when it happens (if it is very briefly connected) could be > hard with lsof... Maybe setup a tarpit firewall rule on that box so > the connection stays open for a long time.
The connections are only attempted a few times throughout the day. Is a tarpit firewall rule the only way to do this? Can anyone tell me what package 'watch' belongs to if that would work? - Grant