On Sun, 30 May 1999, Ralph Clark wrote:
> I haven't yet found a way to identify which process is responsible for each
> packet. If anyone knows how to find the PID of the process sending or receiving
> a given packet (and presumably this involves finding out which socket it is
> going to or coming from, and separately identifying the process which is using
> that socket) ... PLEASE let me know.
You may regret asking when you hear the answer :-).
Firstly you have a source IP and port from the logging. If the
machine which has the source IP is not a Linux box, stop reading
now. If the machine is masquerading you need to look at its
/proc/net/ip_masquerade in order to unmasquerade the IP,port
then use the real source IP,port to find the new real source
machine.
Now you need to use the source port (the unmasqueraded source
port) to find a socket. Look at the source machine's
/proc/net/tcp (or /proc/net/udp for UDP packets) and find the
line with the matching IP,port under the local_address heading
(yes, they are all in hex here :-) ). At the end of that line
is an inode number. This identifies the originating socket
in the kernel's virtual socket filesystem. Make a note of this
inode number (let's call it $inode).
Nearly there :-). Now you need to look for a process that
has this inode on the socket vfs open (hopefully it hasn't
closed it by now...). Do:
ls -l /proc/*/fd/* | grep "socket:[$inode]"
The number between "/proc/" and "/fd/" is the pid of the
process that owns the socket. At least, the pid of the process
that owns the socket *now*. That inode may have been owned
by a different process and socket when the packet was actually
*sent*...
Mike
--
.----------------------------------------------------------------------.
| Mike Jagdis | Internet: [EMAIL PROTECTED] |
| 280, Silverdale Road, Earley, | Voice: +44 118 926 6996 |
| Reading RG6 7NU ENGLAND | Work: +44 118 989 0403 |
`----------------------------------------------------------------------'
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
