Mdthbs

New order #4: World

How can I fix this gap between bookcases I made?

What happens when a metallic dragon and a chromatic dragon mate?

Is ipsum/ipsa/ipse a third person pronoun, or can it serve other functions?

Can I legally use front facing blue light in the UK?

Does bootstrapped regression allow for inference?

Denied boarding due to overcrowding, Sparpreis ticket. What are my rights?

Why airport relocation isn't done gradually?

Could Giant Ground Sloths have been a good pack animal for the ancient Mayans?

Are white and non-white police officers equally likely to kill black suspects?

Typesetting a double Over Dot on top of a symbol

Manga about a female worker who got dragged into another world together with this high school girl and she was just told she's not needed anymore

Need help identifying/translating a plaque in Tangier, Morocco

Doomsday-clock for my fantasy planet

Calculate Levenshtein distance between two strings in Python

Why is the design of haulage companies so “special”?

Shall I use personal or official e-mail account when registering to external websites for work purpose?

Is domain driven design an anti-SQL pattern?

How would photo IDs work for shapeshifters?

What is it called when one voice type sings a 'solo'?

Is Social Media Science Fiction?

Does it makes sense to buy a new cycle to learn riding?

Can I find out the caloric content of bread by dehydrating it?

Could a US political party gain complete control over the government by removing checks & balances?

How do I find out which process opens a specific port on a specific IP address once in a while?

how to investigate Firewall blocked outbound TCPHow does ifconfig find a machine's external IP address?Finding the PID of the process using a specific port?How to request a specific IP address from DHCP server?Curious about strange ICMP type 3 code 10 traffic to my IP addresshow to find out which chain in iptables in listingHow do I figure out what is blocking port 80?How to find IP address of domains?How to find out what is blocking my OpenVPN trafficDoes routing table work like a per-IP-address firewall, while iptables work like a per-port firewall?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

1

Once every 5 minutes or so a process on my machine, with my main user id, tries to open a connection to an unknown IP address (no rDNS) at an unusual TCP port (>1k). I can see this in the computer's IP firewall log because the connection is rejected every time:

[243678.820911] Firewall: *TCP_OUT Blocked* IN= OUT=eth1 SRC=192.168.1.33 DST=123.45.67.89 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31984 DF PROTO=TCP SPT=31339 DPT=1234 WINDOW=64240 RES=0x00 SYN URGP=0 UID=1234 GID=1234

Now, I want to find out which process it is (a few hundred are running) in order to stop it from trying, and to see whether this is something I should be concerned about.

How can I wait for, and detect, up to the process name, which process opens a connection to 123.45.67.89 at TCP port 3456 as user id 1234?

ip firewall

share|improve this question

asked yesterday

Ned64Ned64

2,64911338

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If the issue is regular ("every 5 minutes") then it may be a cron job, so looking at cron entries may be beneficial. Otherwise you could look at auditd and create an auditctl entry to log TCP session activity; eg auditctl -a exit,always -F arch=b64 -S connect -k FLAG will flag 64bit programs that call the connect(2) system call. You'll need a similar line for 32bit programs if you have both on your system
  
  – Stephen Harris
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Just to clarify: The firewall message is the PC's or your network's router? ... The IP address you listed in the question seems to belong to Samsung... So, if it's the router's firewall, I would say this is probably a Smart TV or phone or something trying to auto-update... you could use watch -n15 lsof -a -i4@123.45.67.89:3456 -u 1234 ... which will check every 15 seconds.
  
  – RubberStamp
  yesterday
  
  
  

  
  
  
  

add a comment | 

1

1

Once every 5 minutes or so a process on my machine, with my main user id, tries to open a connection to an unknown IP address (no rDNS) at an unusual TCP port (>1k). I can see this in the computer's IP firewall log because the connection is rejected every time:

[243678.820911] Firewall: *TCP_OUT Blocked* IN= OUT=eth1 SRC=192.168.1.33 DST=123.45.67.89 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31984 DF PROTO=TCP SPT=31339 DPT=1234 WINDOW=64240 RES=0x00 SYN URGP=0 UID=1234 GID=1234

Now, I want to find out which process it is (a few hundred are running) in order to stop it from trying, and to see whether this is something I should be concerned about.

How can I wait for, and detect, up to the process name, which process opens a connection to 123.45.67.89 at TCP port 3456 as user id 1234?

ip firewall

share|improve this question

asked yesterday

Ned64Ned64

2,64911338

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If the issue is regular ("every 5 minutes") then it may be a cron job, so looking at cron entries may be beneficial. Otherwise you could look at auditd and create an auditctl entry to log TCP session activity; eg auditctl -a exit,always -F arch=b64 -S connect -k FLAG will flag 64bit programs that call the connect(2) system call. You'll need a similar line for 32bit programs if you have both on your system
  
  – Stephen Harris
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Just to clarify: The firewall message is the PC's or your network's router? ... The IP address you listed in the question seems to belong to Samsung... So, if it's the router's firewall, I would say this is probably a Smart TV or phone or something trying to auto-update... you could use watch -n15 lsof -a -i4@123.45.67.89:3456 -u 1234 ... which will check every 15 seconds.
  
  – RubberStamp
  yesterday
  
  
  

  
  
  
  

add a comment | 

Once every 5 minutes or so a process on my machine, with my main user id, tries to open a connection to an unknown IP address (no rDNS) at an unusual TCP port (>1k). I can see this in the computer's IP firewall log because the connection is rejected every time:

[243678.820911] Firewall: *TCP_OUT Blocked* IN= OUT=eth1 SRC=192.168.1.33 DST=123.45.67.89 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31984 DF PROTO=TCP SPT=31339 DPT=1234 WINDOW=64240 RES=0x00 SYN URGP=0 UID=1234 GID=1234

Now, I want to find out which process it is (a few hundred are running) in order to stop it from trying, and to see whether this is something I should be concerned about.

How can I wait for, and detect, up to the process name, which process opens a connection to 123.45.67.89 at TCP port 3456 as user id 1234?

ip firewall

share|improve this question

asked yesterday

Ned64Ned64

2,64911338

[243678.820911] Firewall: *TCP_OUT Blocked* IN= OUT=eth1 SRC=192.168.1.33 DST=123.45.67.89 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31984 DF PROTO=TCP SPT=31339 DPT=1234 WINDOW=64240 RES=0x00 SYN URGP=0 UID=1234 GID=1234

share|improve this question

asked yesterday

Ned64Ned64

2,64911338

share|improve this question

asked yesterday

Ned64Ned64

2,64911338

asked yesterday

Ned64Ned64

2,64911338

asked yesterday

Ned64Ned64

2,64911338

1 Answer
1

active

oldest

votes

0

You could construct a tight loop with netstat like this:

while :; do netstat -np | awk '$5 ~ ":3456"  {print}'; done

It's not very efficient, but it should be able to capture the pid and name of your calling process.

share|improve this answer

answered yesterday

WantedWanted

1012

New contributor

Wanted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511092%2fhow-do-i-find-out-which-process-opens-a-specific-port-on-a-specific-ip-address-o%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

You could construct a tight loop with netstat like this:

while :; do netstat -np | awk '$5 ~ ":3456"  {print}'; done

It's not very efficient, but it should be able to capture the pid and name of your calling process.

share|improve this answer

answered yesterday

WantedWanted

1012

New contributor

Wanted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

You could construct a tight loop with netstat like this:

while :; do netstat -np | awk '$5 ~ ":3456"  {print}'; done

It's not very efficient, but it should be able to capture the pid and name of your calling process.

share|improve this answer

answered yesterday

WantedWanted

1012

New contributor

Wanted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

You could construct a tight loop with netstat like this:

while :; do netstat -np | awk '$5 ~ ":3456"  {print}'; done

It's not very efficient, but it should be able to capture the pid and name of your calling process.

share|improve this answer

answered yesterday

WantedWanted

1012

New contributor

Wanted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

while :; do netstat -np | awk '$5 ~ ":3456"  {print}'; done

share|improve this answer

answered yesterday

WantedWanted

1012

New contributor

Wanted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

WantedWanted

1012

New contributor

Wanted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

WantedWanted

1012