tags:

views:

59

answers:

3
Q: 

how i can identify which process is making UDP traffic on linux ?

Hello,

my machine is continously making udp dns traffic request. what i need to know is the PID of the process generating this traffic.

The normal way in TCP connection is to use netstat/lsof and get the process associated at the pid.

Is UDP the connection is stateles, so, when i call netastat/lsof i can see it only if the UDP socket is opened and it's sending traffic.

I have tried with lsof -i UDP and with nestat -anpue but i cant be able to find wich process is doing that request because i need to call lsof/netstat exactly when the udp traffic is sended, if i call lsof/netstat before/after the udp datagram is sended is impossible to view the opened UDP socket.

call netstat/lsof exactly when 3/4 udp packet is sended is IMPOSSIBLE.

how i can identify the infamous process ? I have already inspected the traffic to try to identify the sended PID from the content of the packet, but is not possible to identify it from the contect of the traffic.

anyone can help me ?

I'm root on this machine FEDORA 12 Linux noise.digint.lan 2.6.32.16-141.fc12.x86_64 #1 SMP Wed Jul 7 04:49:59 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

A:  
 netstat -anp |grep -i udp

The process is at the last column

ghostdog74  2010-10-20 11:27:25
i'have already tried it with more option, netstat -anpue, where u stand for udp and e for extended info, i also tried with -c continous option. the problem is that i need to call netstat when the 'infamous' process make udp traffic and is not possible to call it in extact istant it's made it. for a test i have wrote a C loop calling gethostbyname and every 10 seconds i able to view the traffic by netstat but i miss a lot of request. any way to have a historic and consistent way of udp/process traffic ?
boos  2010-10-20 12:28:20
+1  A: 

Are these UDP DNS requests going to the name servers your Fedora box is configured to use? Just opening Firefox and going to http://www.google.com will generate a stream of UDP packets as name resolution happens. Run tcpdump port 53 in a terminal window, open Firefox and go to some website, you'll see what I mean.

mazianni  2010-10-20 14:13:38
Run `tcpdump port 53` and pipe output to log file, this way you'll see port of application which makes UDP requests. By knowing port of application, you can find application process itself.
Victor Sorokin  2010-10-20 14:44:38
You can see the src port, true, but it being UDP there's a good chance the port won't be in use by the time the OP tries to run lsof. It's not a stateful connection. In fact, a quick glance at my tcpdump output shows me four different source ports listed in the course of a second.
mazianni  2010-10-20 14:51:16
mazianni, you have understood the point. UDP is stateless so when i call lsof/netstat the port is not anymore used, as consequence i cant be able to see the PID of the process.
boos  2010-10-21 08:34:54
A: 

Linux Socket Monitor can track changes to network sockets. It should alert you when new socket is opened.

Paweł  2010-10-20 20:39:09
Linux Socket Monitoring is only a bash script that call lsof/netstat. With this way, isnt possible to call it exactly when the udp traffic is generated.
boos  2010-10-21 08:35:20

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?