Tool to know which process do a network flow

Posted on 2006-06-15
Last Modified: 2013-12-16


Every minute I have a connexion from a high port to a port 1522 comming out of a HPUX server. It tries to connect on a oracle server on port 1522 with flag syn. This packet is rejected from a firewall.

I know everything about the network connection but I don't know what process do this connexion.
lsof show only the established connections.

I was wondering if there's a tool or command that would log if a process tries to make a remote connection on port 1522. Like tcpdump but with some system informations.

If this doesn't exist, I'll give the point to the person who would successfully  assist me to find the solution, but it might be complicated as there are a lot of processes running on this machine.
Question by:mikygee
  • 3
  • 2
  • 2
  • +2

Accepted Solution

JJSmith earned 105 total points
ID: 16929487

If the firewall is blocking then lsof has nothing to show on the oracle server.

The HP server is where you should see the process making the call.

Some admins have changed oracle default ports from 1521/26 to 1522/27 ( keeping them close to avoid clashes with other services).

I would suggest that the HP box has changes to make a call on this port number. If it is ORACLE then you may find the port number listed in a tnsnames.ora file somewhere on the HP server.

If admins had set it up that way then that means you have a 1522 service sat behind a firewall that no-one can connect to.

It may be worth going behind the firewall and and use lsof to see what process may be listening on 1522 (a netstat -a would do).



Author Comment

ID: 16929652
No, let's forget about the firewall. The firewall logs showed me that there was a problem with this server.
There are two listeners on the oracle database, on ports 1521 and 1522.
The misconfiguration is that the HP server with oracle has many interfaces. The packet goes like that:
HP_Oracle(iface lan1) -> LAN -> FW -> HP_Oracle(iface lan0) // yes machine source and destination is the same

My question was not about the server side but about the client side.
I want to locate which process tries to send a packet with a destination port 1522. With netstat -an it doesn't show the process names.
LVL 62

Expert Comment

ID: 16968507
There is no problem. Your firewall blocks adequate traffic.
Get rid of it and forget worries.
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud


Author Comment

ID: 16969373
No, no, no. What I'm saying is that the HP_Oracle server is trying to make a connection on the wrong address.
The firewall do its job with blocking this flow.
LVL 62

Expert Comment

ID: 16976871
Your firewall may do a fake accept of connection, so you can lsof or fstat/netstat on suspect system.
Thats a race against time, but will work with small effort.
LVL 51

Expert Comment

ID: 17026182
on some Unix you can use
  netstat -pan
not sure if HP-UX can do also, if not then use lsof

Expert Comment

ID: 17046706

Sorry - been away on holiday.

Can we clarify?

1. Do you have a single HP server?

2. This server has 2 NIC's configured(lan0 & lan1)?

3. This server has 2 oracle listeners running on ports 1521 and 1522?

4. Is the call to port 1522 originating from within the same HP server? i.e. going out lan0 towards lan1 (stopped by FW)


LVL 40

Assisted Solution

noci earned 20 total points
ID: 17321541
lsof -i:1522

should list your processes that use this port.

Author Comment

ID: 17324657
I have no access to this server anymore, that's why I havn't replyed.
I guess it was a misconfiguration in a .ora file that pointed to the wrong server's name. This server had two different names. The DBA told me there was a kind of keepalive that Oracle uses to see if the listener is still running. I think that was the process I was looking for.
Thanx guys for your time.

Featured Post

ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (, discussed installing the Solaris Operating S…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question