Solved

Tool to know which process do a network flow

Posted on 2006-06-15
9
471 Views
Last Modified: 2013-12-16

Hello,

Every minute I have a connexion from a high port to a port 1522 comming out of a HPUX server. It tries to connect on a oracle server on port 1522 with flag syn. This packet is rejected from a firewall.

I know everything about the network connection but I don't know what process do this connexion.
lsof show only the established connections.

I was wondering if there's a tool or command that would log if a process tries to make a remote connection on port 1522. Like tcpdump but with some system informations.

If this doesn't exist, I'll give the point to the person who would successfully  assist me to find the solution, but it might be complicated as there are a lot of processes running on this machine.
0
Comment
Question by:mikygee
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 6

Accepted Solution

by:
JJSmith earned 105 total points
ID: 16929487

If the firewall is blocking then lsof has nothing to show on the oracle server.

The HP server is where you should see the process making the call.

Some admins have changed oracle default ports from 1521/26 to 1522/27 ( keeping them close to avoid clashes with other services).

I would suggest that the HP box has changes to make a call on this port number. If it is ORACLE then you may find the port number listed in a tnsnames.ora file somewhere on the HP server.

If admins had set it up that way then that means you have a 1522 service sat behind a firewall that no-one can connect to.

It may be worth going behind the firewall and and use lsof to see what process may be listening on 1522 (a netstat -a would do).

Cheers
JJ



 
0
 
LVL 2

Author Comment

by:mikygee
ID: 16929652
No, let's forget about the firewall. The firewall logs showed me that there was a problem with this server.
There are two listeners on the oracle database, on ports 1521 and 1522.
The misconfiguration is that the HP server with oracle has many interfaces. The packet goes like that:
HP_Oracle(iface lan1) -> LAN -> FW -> HP_Oracle(iface lan0) // yes machine source and destination is the same

My question was not about the server side but about the client side.
I want to locate which process tries to send a packet with a destination port 1522. With netstat -an it doesn't show the process names.
0
 
LVL 61

Expert Comment

by:gheist
ID: 16968507
There is no problem. Your firewall blocks adequate traffic.
Get rid of it and forget worries.
0
 
LVL 2

Author Comment

by:mikygee
ID: 16969373
No, no, no. What I'm saying is that the HP_Oracle server is trying to make a connection on the wrong address.
The firewall do its job with blocking this flow.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 61

Expert Comment

by:gheist
ID: 16976871
Your firewall may do a fake accept of connection, so you can lsof or fstat/netstat on suspect system.
Thats a race against time, but will work with small effort.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17026182
on some Unix you can use
  netstat -pan
not sure if HP-UX can do also, if not then use lsof
0
 
LVL 6

Expert Comment

by:JJSmith
ID: 17046706

Sorry - been away on holiday.

Can we clarify?

1. Do you have a single HP server?

2. This server has 2 NIC's configured(lan0 & lan1)?

3. This server has 2 oracle listeners running on ports 1521 and 1522?

4. Is the call to port 1522 originating from within the same HP server? i.e. going out lan0 towards lan1 (stopped by FW)

Cheers
JJ

0
 
LVL 39

Assisted Solution

by:noci
noci earned 20 total points
ID: 17321541
lsof -i:1522

should list your processes that use this port.
0
 
LVL 2

Author Comment

by:mikygee
ID: 17324657
I have no access to this server anymore, that's why I havn't replyed.
I guess it was a misconfiguration in a .ora file that pointed to the wrong server's name. This server had two different names. The DBA told me there was a kind of keepalive that Oracle uses to see if the listener is still running. I think that was the process I was looking for.
Thanx guys for your time.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now