• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 486
  • Last Modified:

Tool to know which process do a network flow


Hello,

Every minute I have a connexion from a high port to a port 1522 comming out of a HPUX server. It tries to connect on a oracle server on port 1522 with flag syn. This packet is rejected from a firewall.

I know everything about the network connection but I don't know what process do this connexion.
lsof show only the established connections.

I was wondering if there's a tool or command that would log if a process tries to make a remote connection on port 1522. Like tcpdump but with some system informations.

If this doesn't exist, I'll give the point to the person who would successfully  assist me to find the solution, but it might be complicated as there are a lot of processes running on this machine.
0
mikygee
Asked:
mikygee
  • 3
  • 2
  • 2
  • +2
2 Solutions
 
JJSmithCommented:

If the firewall is blocking then lsof has nothing to show on the oracle server.

The HP server is where you should see the process making the call.

Some admins have changed oracle default ports from 1521/26 to 1522/27 ( keeping them close to avoid clashes with other services).

I would suggest that the HP box has changes to make a call on this port number. If it is ORACLE then you may find the port number listed in a tnsnames.ora file somewhere on the HP server.

If admins had set it up that way then that means you have a 1522 service sat behind a firewall that no-one can connect to.

It may be worth going behind the firewall and and use lsof to see what process may be listening on 1522 (a netstat -a would do).

Cheers
JJ



 
0
 
mikygeeAuthor Commented:
No, let's forget about the firewall. The firewall logs showed me that there was a problem with this server.
There are two listeners on the oracle database, on ports 1521 and 1522.
The misconfiguration is that the HP server with oracle has many interfaces. The packet goes like that:
HP_Oracle(iface lan1) -> LAN -> FW -> HP_Oracle(iface lan0) // yes machine source and destination is the same

My question was not about the server side but about the client side.
I want to locate which process tries to send a packet with a destination port 1522. With netstat -an it doesn't show the process names.
0
 
gheistCommented:
There is no problem. Your firewall blocks adequate traffic.
Get rid of it and forget worries.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikygeeAuthor Commented:
No, no, no. What I'm saying is that the HP_Oracle server is trying to make a connection on the wrong address.
The firewall do its job with blocking this flow.
0
 
gheistCommented:
Your firewall may do a fake accept of connection, so you can lsof or fstat/netstat on suspect system.
Thats a race against time, but will work with small effort.
0
 
ahoffmannCommented:
on some Unix you can use
  netstat -pan
not sure if HP-UX can do also, if not then use lsof
0
 
JJSmithCommented:

Sorry - been away on holiday.

Can we clarify?

1. Do you have a single HP server?

2. This server has 2 NIC's configured(lan0 & lan1)?

3. This server has 2 oracle listeners running on ports 1521 and 1522?

4. Is the call to port 1522 originating from within the same HP server? i.e. going out lan0 towards lan1 (stopped by FW)

Cheers
JJ

0
 
nociSoftware EngineerCommented:
lsof -i:1522

should list your processes that use this port.
0
 
mikygeeAuthor Commented:
I have no access to this server anymore, that's why I havn't replyed.
I guess it was a misconfiguration in a .ora file that pointed to the wrong server's name. This server had two different names. The DBA told me there was a kind of keepalive that Oracle uses to see if the listener is still running. I think that was the process I was looking for.
Thanx guys for your time.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now