[oclug] Curiosity / learning question?

Ian! D. Allen idallen at idallen.ca
Sat Jan 13 13:41:00 EST 2007 

On Sat, Jan 13, 2007 at 09:08:08AM -0500, William Case wrote:
> What tools would I use to trace what is causing this activity?

Here's the command-line approach.

When you notice odd activity on network card eth0 (you need to pick
the right card name, perhaps by running "ifconfig" or "/sbin/ifconfig"
to see what cards you have):

    $ su
    # tcpdump -n -i eth0
    OR (easier to read)
    # tcpdump -n -i eth0 -l | fmt -t

You will see things like this:

    13:23:22.444139 IP 74.104.97.39.60438 > 192.168.9.250.80:
       S 3815849013:3815849013(0) win 5840 <mss 1460,sackOK,timestamp
       648765429 0,nop,wscale 2>
    13:23:22.444292 IP 192.168.9.250.80 > 74.104.97.39.60438:
       S 4027680607:4027680607(0) ack 3815849014 win 5792 <mss
       1460,sackOK,timestamp 726238469 648765429,nop,wscale 2>

tcpdump joins IP addresses to port numbers with periods; so, what the
above really means is host 74.104.97.39 on port 60438 sent a packet to
192.168.9.250 on port 80.  IP 192.168.9.250 is my machine.  Port 80 is
HTTP (WWW).  The next line shows the reply from my machine port 80 to the
remote machine port 60438.  You can look up port numbers in /etc/services.

The volume of packets might tell you what's going on with your network.

If you see a lot of packets that you know aren't interesting, you can
exclude them by host name or by port number from the tcpdump output.
For example, to exclude all traffic on port 22 (ssh) and involving host
216.58.97.21 (my DNS):

    # tcpdump -n -i eth0 -l not port 22 and not host 216.58.97.21 | fmt -t

If you want to track local IP addresses and their ports back to the
process IDs and programs that have them open run (as root):

    # netstat -natp | grep ESTABLISHED

Remove the grep pipe if you also want to see ports that are LISTENing.

-- 
| Ian! D. Allen  -  idallen at idallen.ca  -  Ottawa, Ontario, Canada
| Home Page: http://www.idallen.com/ - Contact Improv: http://contactimprov.ca/
| College professor (Open Source / Linux) via: http://teaching.idallen.com/
| Support the public commons and public digital rights:  http://eff.org/

More information about the OCLUG mailing list