Tool to know which process do a network flow

Posted on 2006-06-15
Last Modified: 2013-12-16


Every minute I have a connexion from a high port to a port 1522 comming out of a HPUX server. It tries to connect on a oracle server on port 1522 with flag syn. This packet is rejected from a firewall.

I know everything about the network connection but I don't know what process do this connexion.
lsof show only the established connections.

I was wondering if there's a tool or command that would log if a process tries to make a remote connection on port 1522. Like tcpdump but with some system informations.

If this doesn't exist, I'll give the point to the person who would successfully  assist me to find the solution, but it might be complicated as there are a lot of processes running on this machine.
Question by:mikygee
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Accepted Solution

JJSmith earned 105 total points
ID: 16929487

If the firewall is blocking then lsof has nothing to show on the oracle server.

The HP server is where you should see the process making the call.

Some admins have changed oracle default ports from 1521/26 to 1522/27 ( keeping them close to avoid clashes with other services).

I would suggest that the HP box has changes to make a call on this port number. If it is ORACLE then you may find the port number listed in a tnsnames.ora file somewhere on the HP server.

If admins had set it up that way then that means you have a 1522 service sat behind a firewall that no-one can connect to.

It may be worth going behind the firewall and and use lsof to see what process may be listening on 1522 (a netstat -a would do).



Author Comment

ID: 16929652
No, let's forget about the firewall. The firewall logs showed me that there was a problem with this server.
There are two listeners on the oracle database, on ports 1521 and 1522.
The misconfiguration is that the HP server with oracle has many interfaces. The packet goes like that:
HP_Oracle(iface lan1) -> LAN -> FW -> HP_Oracle(iface lan0) // yes machine source and destination is the same

My question was not about the server side but about the client side.
I want to locate which process tries to send a packet with a destination port 1522. With netstat -an it doesn't show the process names.
LVL 62

Expert Comment

ID: 16968507
There is no problem. Your firewall blocks adequate traffic.
Get rid of it and forget worries.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 16969373
No, no, no. What I'm saying is that the HP_Oracle server is trying to make a connection on the wrong address.
The firewall do its job with blocking this flow.
LVL 62

Expert Comment

ID: 16976871
Your firewall may do a fake accept of connection, so you can lsof or fstat/netstat on suspect system.
Thats a race against time, but will work with small effort.
LVL 51

Expert Comment

ID: 17026182
on some Unix you can use
  netstat -pan
not sure if HP-UX can do also, if not then use lsof

Expert Comment

ID: 17046706

Sorry - been away on holiday.

Can we clarify?

1. Do you have a single HP server?

2. This server has 2 NIC's configured(lan0 & lan1)?

3. This server has 2 oracle listeners running on ports 1521 and 1522?

4. Is the call to port 1522 originating from within the same HP server? i.e. going out lan0 towards lan1 (stopped by FW)


LVL 40

Assisted Solution

noci earned 20 total points
ID: 17321541
lsof -i:1522

should list your processes that use this port.

Author Comment

ID: 17324657
I have no access to this server anymore, that's why I havn't replyed.
I guess it was a misconfiguration in a .ora file that pointed to the wrong server's name. This server had two different names. The DBA told me there was a kind of keepalive that Oracle uses to see if the listener is still running. I think that was the process I was looking for.
Thanx guys for your time.

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
FreeBSD on EC2 FreeBSD ( is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question