views:

59

answers:

3

Hello,

my machine is continously making udp dns traffic request. what i need to know is the PID of the process generating this traffic.

The normal way in TCP connection is to use netstat/lsof and get the process associated at the pid.

Is UDP the connection is stateles, so, when i call netastat/lsof i can see it only if the UDP socket is opened and it's sending traffic.

I have tried with lsof -i UDP and with nestat -anpue but i cant be able to find wich process is doing that request because i need to call lsof/netstat exactly when the udp traffic is sended, if i call lsof/netstat before/after the udp datagram is sended is impossible to view the opened UDP socket.

call netstat/lsof exactly when 3/4 udp packet is sended is IMPOSSIBLE.

how i can identify the infamous process ? I have already inspected the traffic to try to identify the sended PID from the content of the packet, but is not possible to identify it from the contect of the traffic.

anyone can help me ?

I'm root on this machine FEDORA 12 Linux noise.digint.lan 2.6.32.16-141.fc12.x86_64 #1 SMP Wed Jul 7 04:49:59 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

A: 
 netstat -anp |grep -i udp

The process is at the last column

ghostdog74
i'have already tried it with more option, netstat -anpue, where u stand for udp and e for extended info, i also tried with -c continous option. the problem is that i need to call netstat when the 'infamous' process make udp traffic and is not possible to call it in extact istant it's made it. for a test i have wrote a C loop calling gethostbyname and every 10 seconds i able to view the traffic by netstat but i miss a lot of request. any way to have a historic and consistent way of udp/process traffic ?
boos
+1  A: 

Are these UDP DNS requests going to the name servers your Fedora box is configured to use? Just opening Firefox and going to http://www.google.com will generate a stream of UDP packets as name resolution happens. Run tcpdump port 53 in a terminal window, open Firefox and go to some website, you'll see what I mean.

mazianni
Run `tcpdump port 53` and pipe output to log file, this way you'll see port of application which makes UDP requests. By knowing port of application, you can find application process itself.
Victor Sorokin
You can see the src port, true, but it being UDP there's a good chance the port won't be in use by the time the OP tries to run lsof. It's not a stateful connection. In fact, a quick glance at my tcpdump output shows me four different source ports listed in the course of a second.
mazianni
mazianni, you have understood the point. UDP is stateless so when i call lsof/netstat the port is not anymore used, as consequence i cant be able to see the PID of the process.
boos
A: 

Linux Socket Monitor can track changes to network sockets. It should alert you when new socket is opened.

Paweł
Linux Socket Monitoring is only a bash script that call lsof/netstat. With this way, isnt possible to call it exactly when the udp traffic is generated.
boos