Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Tool to know which process do a network flow

Posted on 2006-06-15
Medium Priority
Last Modified: 2013-12-16


Every minute I have a connexion from a high port to a port 1522 comming out of a HPUX server. It tries to connect on a oracle server on port 1522 with flag syn. This packet is rejected from a firewall.

I know everything about the network connection but I don't know what process do this connexion.
lsof show only the established connections.

I was wondering if there's a tool or command that would log if a process tries to make a remote connection on port 1522. Like tcpdump but with some system informations.

If this doesn't exist, I'll give the point to the person who would successfully  assist me to find the solution, but it might be complicated as there are a lot of processes running on this machine.
Question by:mikygee
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Accepted Solution

JJSmith earned 315 total points
ID: 16929487

If the firewall is blocking then lsof has nothing to show on the oracle server.

The HP server is where you should see the process making the call.

Some admins have changed oracle default ports from 1521/26 to 1522/27 ( keeping them close to avoid clashes with other services).

I would suggest that the HP box has changes to make a call on this port number. If it is ORACLE then you may find the port number listed in a tnsnames.ora file somewhere on the HP server.

If admins had set it up that way then that means you have a 1522 service sat behind a firewall that no-one can connect to.

It may be worth going behind the firewall and and use lsof to see what process may be listening on 1522 (a netstat -a would do).



Author Comment

ID: 16929652
No, let's forget about the firewall. The firewall logs showed me that there was a problem with this server.
There are two listeners on the oracle database, on ports 1521 and 1522.
The misconfiguration is that the HP server with oracle has many interfaces. The packet goes like that:
HP_Oracle(iface lan1) -> LAN -> FW -> HP_Oracle(iface lan0) // yes machine source and destination is the same

My question was not about the server side but about the client side.
I want to locate which process tries to send a packet with a destination port 1522. With netstat -an it doesn't show the process names.
LVL 62

Expert Comment

ID: 16968507
There is no problem. Your firewall blocks adequate traffic.
Get rid of it and forget worries.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 16969373
No, no, no. What I'm saying is that the HP_Oracle server is trying to make a connection on the wrong address.
The firewall do its job with blocking this flow.
LVL 62

Expert Comment

ID: 16976871
Your firewall may do a fake accept of connection, so you can lsof or fstat/netstat on suspect system.
Thats a race against time, but will work with small effort.
LVL 51

Expert Comment

ID: 17026182
on some Unix you can use
  netstat -pan
not sure if HP-UX can do also, if not then use lsof

Expert Comment

ID: 17046706

Sorry - been away on holiday.

Can we clarify?

1. Do you have a single HP server?

2. This server has 2 NIC's configured(lan0 & lan1)?

3. This server has 2 oracle listeners running on ports 1521 and 1522?

4. Is the call to port 1522 originating from within the same HP server? i.e. going out lan0 towards lan1 (stopped by FW)


LVL 40

Assisted Solution

noci earned 60 total points
ID: 17321541
lsof -i:1522

should list your processes that use this port.

Author Comment

ID: 17324657
I have no access to this server anymore, that's why I havn't replyed.
I guess it was a misconfiguration in a .ora file that pointed to the wrong server's name. This server had two different names. The DBA told me there was a kind of keepalive that Oracle uses to see if the listener is still running. I think that was the process I was looking for.
Thanx guys for your time.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question