What is the best way to tell if traffic is reaching a socket?
netstat -i is convenient for checking counters in/out of an interface, but how to tell if that traffic is reaching a socket?
Thanks
You can use netstat to check the count of ESTABLISHED connection to the port number that the socket is using to listen. Alternatively tcpdump can show you packets flowing in and out of that port.
Related
netstat lists all the connections (incoming and outgoing)
how do I filter out just the incoming connections
I have tried the netstat command but it lists all the connections but j need only the incoming connections
Once sockets are created, there isn't really such thing as inbound and outbound, as connections go both ways. What you really care about are connections you started, vs connections others started. To do that, you have to monitor for new connections, and log them as they are created.
tcpdump is a great tool for this. There are tons of guides on the internet, but a command to get you started would be tcpdump -Qin ....
With netstat you may identify the state of the socket, but in many cases there are no states in raw mode and usually no states used in UDP and UDPLite. You may try to display the listening state for incoming connections by running netstat with the following argument:
netstat --listening
However, as far as I understood from your question it is better to use the tcpdump tool as mentioned in other comments.
Hello, 👋
I was wondering how services (like mysql, apache, mongoDB) are bind against a port in the server/local machine. How does this work?
I'm guessing that when the service starts, it tries to connect to the port and if possible, the service is "paused" until the OS receives a request against the selected port. Is there any documentation out explaining how this works?
Thank you!
May I help you?
This is a list of TCP and UDP port numbers used by protocols for operation of network applications.
The Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) only need one port for duplex, bidirectional traffic. They usually use port numbers that match the services of the corresponding TCP or UDP implementation, if they exist.
I would like to write a daemon that is available on a large number of AF_INET-SOCK_STREAM and AF_INET-SOCK_DGRAM sockets for network debugging purposes.
To avoid excessive resource usage I want to avoid opening a large number of ports on the application layer but try to multiplex the connections per socket type on lower layers.
Knowledge of the original incoming port on the application layer is a requirement.
I have successfully implemented a daemon that listens on an AF_INET SOCK_STREAM socket that is multiplexed by an iptables REDIRECT rule. The original incoming port of the connection can be retrieved by calling getsockopt with SO_ORIGINAL_DST. As I understand this does not work with AF_INET SOCK_DGRAM.
I have also successfully implemented a daemon that listens on an AF_INET SOCK_DGRAM socket that is multiplexed by an iptables TPROXY rule. The original incoming port of the connection can be retrieved by using recvmsg() and consuming the available ancillary message containing information about the connection before multiplexing. As I understand this does not work with AF_INET SOCK_STREAM.
Is there a transport-layer-agnostic way of multiplexing such socket connections and retrieving information about the original incoming port? Possibly even suitable for protocols like SCTP or DCCP?
With TCP you have a connection. The target port for this connection is the same for all packets inside this connection. In this case each connected socket (result from accept) equals to a single connection and the incoming port is a property of this socket. It does not matter in this case if the listening socket will accept connections on multiple ports, all what matters is the connected socket.
With UDP you don't have a connection. Instead the same socket is used to receive packages from multiple clients and in your case to multiple incoming ports. Source and destination IP and port are thus a property of each packet and not of the socket.
That's why you need different interfaces to retrieve the original incoming port: a socket based for TCP and a packet based for UDP.
How to open a raw socket for sending from specific TCP port? I want to have all my connections always go from a range of ports below ephemerals.
If you are using raw sockets, then just fill in the correct TCP source port in the packet header.
If, instead, you are using the TCP socket interface (socket(), connect() and friends), then you can set the source port by calling the bind() system call for the client socket - exactly as you would to set the listening port for the server socket.
Making a tcp connection using raw sockets is somewhere between difficult and impossible; you'd need to implement the entire tcp protocol in your program AND also stop the kernel from sending its own replies to the packets (if the kernel has IP bound on that address on that interface).
This is probably not what you want. However, if you did want it, it is trivial to send tcp frames with any source port you want, as you get to specify it in the tcp header, which of course, if you're implementing your own TCP layer, you'll need to understand.
My machine is continuously making udp dns traffic request. What I need to know is the PID of the process generating this traffic.
The normal way in TCP connection is to use netstat/lsof and get the process associated at the pid.
Is UDP the connection is stateless, so, when I call netastat/lsof I can see it only if the UDP socket is opened and it's sending traffic.
I have tried with lsof -i UDP and with netstat -anpue but I can't be able to find which process is doing that request because I need to call lsof/netstat exactly when the udp traffic is sent, if I call lsof/netstat before/after the udp datagram is sent is impossible to view the opened UDP socket.
call netstat/lsof exactly when 3/4 udp packet is sent is IMPOSSIBLE.
how I can identify the infamous process?
I have already inspected the traffic to try to identify the sent PID from the content of the packet, but is not possible to identify it from the content of the traffic.
anyone can help me?
I'm root on this machine FEDORA 12 Linux noise.company.lan 2.6.32.16-141.fc12.x86_64 #1 SMP Wed Jul 7 04:49:59 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
EDIT:
I have asked the same question on superuser platform.
More related place to this kind of question OF COURSE!
Click here, You can find the right answer in the right place
netstat -anp |grep -i udp
The process is at the last column
Are these UDP DNS requests going to the name servers your Fedora box is configured to use? Just opening Firefox and going to http://www.google.com will generate a stream of UDP packets as name resolution happens. Run tcpdump port 53 in a terminal window, open Firefox and go to some website, you'll see what I mean.
Linux Socket Monitor can track changes to network sockets. It should alert you when new socket is opened.