tcpdump option to find process initiate communication - linux

I am using the Linux command line and when I run the following command:
tcpdump -n dst host destsitename
tcpdump -n dst host stackoverflow.com
to see if my server as source talk to this domain, how I can find out which process doing the communication from my server as source.
My question is which option should I use in "tcpdump".

Run netstat -avnp and fetch the <pid> (the last column)
Run ps -ef | fgrep <pid> and see what that <pid> belongs to

If you know the port, you can try:
lsof -i :1234
The benefits of using lsof instead of netstat is that the -p is not supported on Unix/OS X.

Use lsof and grep by site name:
$: lsof -i |grep mapscii.me
$: telnet 16678 zersh 3u IPv4 1789302 0t0 TCP 192.168.21.180:43148->mapscii.me:telnet (ESTABLISHED)
or netstat:
$ netstat anlpt |grep mapscii.me
tcp 0 0 192.168.21.180:43168 mapscii.me:telnet ESTABLISHED

Try use next script:
LOCAL_IP="src_ip"
TARGET_IP="..."
while read x; do
port=$( echo $x | grep "IP ${LOCAL_IP}" | awk '{print $3}' | sed "s/${LOCAL_IP}.//" )
if [ ! -z ${port} ]; then
lsof -Pni :${port}
fi
done <<< "$( tcpdump -nn -c1 host ${TARGET_IP} )"
PS. In my case it only worked in the background. Hung in processes for more than 10 hours looking for the source of the problem:
while read x; do port=$(echo $x | grep "IP ${LOCAL_IP}" | awk '{print $3}' | sed "s/${LOCAL_IP}.//"); if [ ! -z ${port} ]; then lsof -Pni :${port}; fi; done <<< "$( tcpdump -nn -c2 host ${TARGET_IP} )" >> /tmp/result &

On linux you can also use the ss command (which replaces the deprecated netstat command):
$ ss -p dst stackoverflow.com
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp ESTAB 0 0 192.168.2.5:50676 151.101.65.69:https users:(("firefox",pid=4657,fd=251))

Related

netstat process details with the IP address

My netstat command is as below on the Centos machine
#netstat -n | grep 172.18.0.6 | more
tcp 0 0 172.18.0.1:57332 172.18.0.6:8444 FIN_WAIT2
I want to find out which process is running with the IP address 172.18.0.1 . Any way to find out the same
I think you are looking for the netstat -p option.
#netstat -np | grep 172.18.0.6 | more
Should work.
You can use lsof.
If you want to see which service is running in port 57332:
lsof -i TCP:57332
or by IP:
lsof -i |grep 172.18.0.1
You can use
netstat -apn | grep 172.18.0.6 | more
to get also the sockets that are listening.

Netcat [nc] listen grep ip and disconnect

Is there a way to grep the IP address of the inbound connection and disconnect after a timeout?
If I do
nc -vv -l -p <portnum>
it's connected forever.
$nc -h
[v1.10]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-4 Use IPv4 (default)
-6 Use IPv6
-c shell commands as -e; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-A algorithm cast256, mars, saferp, twofish, or rijndael
-k password AES encrypt and ascii armor session
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
I'm trying but I get no result.
My netcat is dated. The nc version number is 1.10
EDIT
#VictorLee gives me some alternatives. I made a thing.
Here there's a little server script that listen and logs every new different access.
If someone want to use or modify I put the code below
#!/bin/bash
unset PIDTMP; rm -rf tmplog.log 2>/dev/null
while true; do
if [[ "$PIDTMP" == "" ]]; then
nc -vv -l -p <YOURPORT> > tmplog.log 2>&1 & PIDTMP=$!;
fi
if [[ "$PIDTMP" != "" ]]; then
if [[ -f tmplog.log ]]; then
thisip="$(cat -v tmplog.log 2> /dev/null | tr -d '\0' | grep -aiv "failed" | grep -ioE -m2 "\\[([0-9]{1,3}\.){3}[0-9]{1,3}\\]" | tail -1 | sed 's/^.\(.*\).$/\1/')" 2> /dev/null
#uncomment if u want output to screen
#if [[ "$thisip" != "" ]]; then cat tmplog.log 2> /dev/null; fi;
fi
if [[ "$thisip" != "" ]]; then
kill $PIDTMP 2>/dev/null
wait $PIDTMP 2>/dev/null; unset PIDTMP;
if [[ "$(grep -rnw log.log -e "$thisip" 2> /dev/null)" == "" ]]; then
echo "$thisip" >> log.log
fi
unset thisip
fi
fi
sleep 2
done
Try this:
nc -vv -l -p <portnum> >>/tmp/nc.log 2>&1 & sleep <timeout>;kill -9 $!
If you want to get the only connection ip, could run this grep -oP "(?<=Connection from \[)[\w\.]*(?=])" /tmp/nc.log, the one line is:
nc -vv -l -p <portnum> >>/tmp/nc.log 2>&1 & sleep <timeout>;kill -9 $!;grep -oP "(?<=Connection from \[)[\w\.]*(?=])" /tmp/nc.log
First collect the nc log to nc.log and force kill the nc progress until the time out, then get the connection ip by grep.

To which port is a process attached in Linux

I want to know which port is my Jonas, on which a Java project has been deployed, is attached to in a Linux server. I have the pid of the Jonas and tried netstat -lnp but I found no port attached to that PID.
Any idea of how to do this.
Open a terminal application i.e. shell prompt.
Run any one of the following command:
sudo lsof -i -P -n | grep LISTEN
sudo netstat -tulpn | grep LISTEN
sudo nmap -sTU -O IP-address-Here
lsof command
The syntax is:
$ sudo lsof -i -P -n
$ sudo lsof -i -P -n | grep LISTEN
$ doas lsof -i -P -n | grep LISTEN ### [OpenBSD] ###
There are many ways to do, I prefer this
sudo netstat -pan |grep pid
Also, you can use
sudo lsof -Pan -p pid -i
pid should be actual "pid" number that you have

Killing a PID which is using a port

I am using below code to kill a process which is using a port number
port = sudo lsof -n -i4TCP:3030 | grep LISTEN | awk '{print $2;}'
if [ ! -z "$port" -a "$port" != " " ]; then
sudo kill "$port"
fi
But it is saying port: command not found. What is causing the issue and how can I fix it.
As it stands,
port = sudo lsof -n -i4TCP:3030 | grep LISTEN | awk '{print $2;}'
attempts to run a command port with parameters = sudo lsof -n -i4TCP:3030 and pipe its output through grep LISTEN and then awk '{print $2;}'.
Use
port=$(sudo lsof -n -i4TCP:3030 | grep LISTEN | awk '{print $2;}')
There's no reason to roll this yourself: fuser on Linux will do it for you in a single command, and much more efficiently:
sudo fuser -n tcp -k 3030
With just one line!
sudo kill `sudo lsof -t -i:3030`

BASH - how can i make the log file accessable via TCP port when-ever requires?

How can i have a logs on TCP port available, so that it can be remotely tested by someone else ? for example:
MAINSERVER> tail -f /etc/httpd/logs/access_log | grep -e fruit_Python -e fruit_BASH -e fruit_C | .... TCP 9999 ... make this available ....??
NOW, from my Laptop remotely i want to do this temporary:
MYLAPTOP> tail -f http://MAINSERVER:9999 | grep -e grab_BASH
Any idea please?
You can use netcat (nc) to do this:
Server side (listen for connection):
tail -f /foo/bar |nc -l -k -p 9999
-l listen
-k listen for another connection after current completed
Client side (connecting):
nc MAINSERVER 9999 | grep whatever_you_like
You can use bash as well to connect to /dev/tcp/host/port but sometimes it's not suported (compiled in to Bash) for security reasons.
Client:
grep whatever_you_like < /dev/tcp/MAINSERVER/9999

Resources