On Tue, 13 Dec 2011 01:07:42 +0700 Sthu Deus <sthu.d...@gmail.com> wrote:
> Thank You for Your time and answer, Kelly: > > >> On a desktop system I have noticed a bit of network traffic whereas > >> users do not run any network software... > >> > >> How do I find out which process on the system does send/receive > >> network packets? > > > >Something like: > >netstat --inet -ap > > > >"--inet" so you are looking at network sockets rather than unix > >sockets, "-a" shows both established connections and listening > >processes, "-p" shows PID and process name. > > I have tried this but it did tell me what sends/receives packets... > > I have records from tcpdump as: > > 15:26:41.796962 IP n219078177226.netvigator.com.20026 > dark.6881: > UDP, length 98 > > 15:26:41.843163 IP dark.60324 > 192-168-0-001.localnet.domain: 18791+ > PTR? 226.177.78.219.in-addr.arpa. (45) > > 15:26:42.188001 IP 109.166.130.88.57922 > dark.6881: UDP, length 103 > > 15:26:42.240489 IP 192-168-0-001.localnet.domain > dark.60324: 18791 > 1/2/2 PTR n219078177226.netvigator.com. (155) > > 15:26:42.241167 IP dark.55090 > 192-168-0-001.localnet.domain: 33349+ > PTR? 1.0.168.192.in-addr.arpa. (42) > > 15:26:42.252990 IP dark.50010 > 192-168-0-001.localnet.domain: 35194+ > PTR? 1.0.168.192.in-addr.arpa. (42) > > 15:26:42.427152 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2 > > 15:26:42.427204 IP6 fe80::219:b9ff:fe53:3418 > ip6-allnodes: HBH > ICMP6, multicast listener querymax resp delay: 1000 addr: ::, length > 24 > > 15:26:42.440462 IP 192-168-0-001.localnet.domain > dark.55090: 33349* > 1/2/2 PTR 192-168-0-001.localnet. (151) > > 15:26:42.441035 IP 192-168-0-001.localnet.domain > dark.50010: 35194 > 1/0/0 PTR 192-168-0-001.localnet. (78) > > 15:26:42.441084 IP dark.51993 > 192-168-0-001.localnet.domain: 25411+ > PTR? 88.130.166.109.in-addr.arpa. (45) > > 15:26:42.584183 IP n219079146094.netvigator.com.45846 > dark.6881: > UDP, length 98 > > So, here are several connections I see. Do You have an idea, How I can > identify which process relate to each record - may related to > port/protocol? > > Run netstat as root to see the PIDs and program names of everything, otherwise it will only show you that data for processes you own. If you also use the -n flag, it will run much faster as it won't do DNS or service name lookups. Some of the service names may be misleading anyway, as they are looked up from a file. The program name is more useful. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111212190114.62184...@jretrading.com
