Solved

How to check which processes keep accessing the internet?

Posted on 2000-02-13
10
256 Views
Last Modified: 2013-12-23
Anybody knows how to check if any of processes in my system(HP-UX 10.20) keeps accessing the internet?  Because recently
 I found from Cisco Router that my system has unusal traffic through
 internet,  I can just deny this system from accessing the internet but
 I want to know why and at what time which processes will access the internet.  How can I do that?
0
Comment
Question by:kslzzg
  • 6
  • 3
10 Comments
 
LVL 2

Expert Comment

by:den_tsopa
ID: 2518321
you may use lsof (list of open files)utility. it shows what processes currently have established TCP connections (and with which hosts) or listened UDP sockets.
you may get it from ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/.
0
 
LVL 3

Accepted Solution

by:
klover earned 100 total points
ID: 2525961
Run a

date >> /tmp/netaccess ; netstat -a >> /tmp/netaccess

in the crontab every 10 minutes.  This appends a time stamp to the netaccess file followed by a listing of the current TCP and UDP connections on the Unix host every 10 minutes.

Read and delete the netaccess file daily.  Check the file for foreign addresses.  By analyzing the ports on the foreign and local host entries you will know what's going on.

For Example..
Proto  Local Address          Foreign Address
TCP    192.168.0.2:80  209.63.224.177:3110
TCP    192.168.0.2:1738       192.168.0.1:23

Entry one tells me that a host out on the Internet (209.63.224.177) is connected to my host at port 80.  Port 80 is the standard for WWW.

Entry two tells me that the unix host is connected to another unix host via telnet (port 23)

Using this method along with the list of known ports listed in /etc/services you can tell who connects to your server, when they are connected, and what they are doing.




0
 
LVL 3

Expert Comment

by:klover
ID: 2526056
date >> /tmp/netaccess ; netstat -a|grep localhost >> /tmp/netaccess

Use this in cron instead.  It weeds out the stuff you don't need before appending it to the netaccess file....

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:kslzzg
ID: 2526123
I have done an experiment.  I just run ping to DNS provided by local ISP and I also run netstat but cannot find out any foreign IP address associated with the internet.  That means
I  cannot find out  the IP address for that DNS.
0
 
LVL 3

Expert Comment

by:klover
ID: 2526338
Sorry, I don't understand your experiment or what it means...
0
 

Author Comment

by:kslzzg
ID: 2529687
Let me explain what experiment I have done.   Firstly I run a process which just ping to the internet, then I run the commands that you recommend to monitor the system to see
 if I can find this process.   Definitely the "ping" process will
 trigger an ISDN connection to the internet,  why I can't find anything from "netstat -a"  regarding the internet connection?
0
 
LVL 3

Expert Comment

by:klover
ID: 2529772
Ping does not generate a session, it is just a diagnostic tool.  Your server is not sporadically pinging the Internet.  Any time your server wants to do something "real" like download mail or browse the Internet a session is created which can be detected and logged using the method described above.  For diagnostic purposes you can shorten the time to every 30 seconds, but don't let it run too long because the log will fill up your hard disk.

You know what...  I'll bet your Unix box is trying to act as a router.  If it is running RIP it will kick your router up occasionally to broadcast it's route table!!!  I had this problem at a customer site.

I'm not exactly sure how to tell you to disable RIP on HP-UX.  Poke around in your network configuration...  Maybe see if it is running as a process...

ps -ef|grep rip

More later if I find anything...
0
 
LVL 3

Expert Comment

by:klover
ID: 2529793
Just remembered, I had to shutdown the route daemon.  

ps -ef|grep routed

This will tell you if the route daemon is running on your system.
0
 
LVL 3

Expert Comment

by:klover
ID: 2529828
(gated also uses RIP)  ps -ef|grep gated

The well known port for the Routed daemon to wait for routing information packets is UDP socket 520.

do a

netstat -a -n | grep 520

to see if you are running a RIP router on your Unix box.  If you are, RIP is most likely generating that traffic.
0
 

Author Comment

by:kslzzg
ID: 2530035
No, I still got nothing from "ps -ef|grep gated" and  
   "netstat -a -n | grep 520".  I believe it has something to do
 with a  performance monitoring demo software from teamquest.com   which I have just installed last Friday.
 Before last Friday, there is no such traffic.   But I still don't know why and how,   I am still investigating it.  

More later if I find anything...
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to configure this in fortinet firewall 2 64
google exe file 5 67
BGP prefix and routing 3 60
svi stops eigrp advertisement 13 33
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question