kslzzg
asked on
How to check which processes keep accessing the internet?
Anybody knows how to check if any of processes in my system(HP-UX 10.20) keeps accessing the internet? Because recently
I found from Cisco Router that my system has unusal traffic through
internet, I can just deny this system from accessing the internet but
I want to know why and at what time which processes will access the internet. How can I do that?
I found from Cisco Router that my system has unusal traffic through
internet, I can just deny this system from accessing the internet but
I want to know why and at what time which processes will access the internet. How can I do that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
date >> /tmp/netaccess ; netstat -a|grep localhost >> /tmp/netaccess
Use this in cron instead. It weeds out the stuff you don't need before appending it to the netaccess file....
Use this in cron instead. It weeds out the stuff you don't need before appending it to the netaccess file....
ASKER
I have done an experiment. I just run ping to DNS provided by local ISP and I also run netstat but cannot find out any foreign IP address associated with the internet. That means
I cannot find out the IP address for that DNS.
I cannot find out the IP address for that DNS.
Sorry, I don't understand your experiment or what it means...
ASKER
Let me explain what experiment I have done. Firstly I run a process which just ping to the internet, then I run the commands that you recommend to monitor the system to see
if I can find this process. Definitely the "ping" process will
trigger an ISDN connection to the internet, why I can't find anything from "netstat -a" regarding the internet connection?
if I can find this process. Definitely the "ping" process will
trigger an ISDN connection to the internet, why I can't find anything from "netstat -a" regarding the internet connection?
Ping does not generate a session, it is just a diagnostic tool. Your server is not sporadically pinging the Internet. Any time your server wants to do something "real" like download mail or browse the Internet a session is created which can be detected and logged using the method described above. For diagnostic purposes you can shorten the time to every 30 seconds, but don't let it run too long because the log will fill up your hard disk.
You know what... I'll bet your Unix box is trying to act as a router. If it is running RIP it will kick your router up occasionally to broadcast it's route table!!! I had this problem at a customer site.
I'm not exactly sure how to tell you to disable RIP on HP-UX. Poke around in your network configuration... Maybe see if it is running as a process...
ps -ef|grep rip
More later if I find anything...
You know what... I'll bet your Unix box is trying to act as a router. If it is running RIP it will kick your router up occasionally to broadcast it's route table!!! I had this problem at a customer site.
I'm not exactly sure how to tell you to disable RIP on HP-UX. Poke around in your network configuration... Maybe see if it is running as a process...
ps -ef|grep rip
More later if I find anything...
Just remembered, I had to shutdown the route daemon.
ps -ef|grep routed
This will tell you if the route daemon is running on your system.
ps -ef|grep routed
This will tell you if the route daemon is running on your system.
(gated also uses RIP) ps -ef|grep gated
The well known port for the Routed daemon to wait for routing information packets is UDP socket 520.
do a
netstat -a -n | grep 520
to see if you are running a RIP router on your Unix box. If you are, RIP is most likely generating that traffic.
The well known port for the Routed daemon to wait for routing information packets is UDP socket 520.
do a
netstat -a -n | grep 520
to see if you are running a RIP router on your Unix box. If you are, RIP is most likely generating that traffic.
ASKER
No, I still got nothing from "ps -ef|grep gated" and
"netstat -a -n | grep 520". I believe it has something to do
with a performance monitoring demo software from teamquest.com which I have just installed last Friday.
Before last Friday, there is no such traffic. But I still don't know why and how, I am still investigating it.
More later if I find anything...
"netstat -a -n | grep 520". I believe it has something to do
with a performance monitoring demo software from teamquest.com which I have just installed last Friday.
Before last Friday, there is no such traffic. But I still don't know why and how, I am still investigating it.
More later if I find anything...
you may get it from ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/.