2

We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables log:

kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000

The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?

Kusalananda
  • 320,670
  • 36
  • 633
  • 936
Mikhail Morfikov
  • 10,309
  • 19
  • 69
  • 104
  • A TCP request from an unprivileged user to an Akamitech server. A web browser maybe? How do you know the process exits? – Kusalananda Feb 06 '19 at 09:49
  • No, it was `wget` , but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged by `nftables`, we would know how to target it. – Mikhail Morfikov Feb 06 '19 at 09:52
  • You have the UID in the log. With process accounting turned on it may be possible to correlate the accounting data with the log. I wouldn't know how to da that in an automated fashion though as I don't know what Unix you are on. – Kusalananda Feb 06 '19 at 09:55
  • I'm using Debian – Mikhail Morfikov Feb 06 '19 at 09:58
  • I have edited quesions to say that the process does send (not wants to send). There is no way to find a process that is just dreaming of doing something. – ctrl-alt-delor Feb 06 '19 at 10:17
  • But it does send the packet from time to time, and I know when the packet is being sent because it gets logged (the time of the event is known). – Mikhail Morfikov Feb 06 '19 at 10:25
  • 1
    You could monitor processes via the proc connector interface of linux, and try to time correlate with the iptables log. There's `forkstat` in debian which is kind of a (quite unsatisfactory) sample program using the proc connector. –  Feb 06 '19 at 10:36
  • Actually, `forkstat` can do the job, so can `lastcomm --debug $USER` , I think this will be sufficient for my needs. I leave the question open, maybe someone knows some better/automated way to do this. – Mikhail Morfikov Feb 06 '19 at 10:50
  • 3
    using auditd: [Using Auditd to Monitor Network Connections - LinkedIn](https://www.linkedin.com/pulse/using-auditd-monitor-network-connections-alex-maestretti) (on SF:) [Finding short-lived TCP connections owner process](https://serverfault.com/a/352275/217515). using NFQUEUE +(usual) /proc : [Leopard Flower firewall](https://github.com/themighty1/lpfw) – A.B Feb 06 '19 at 20:02
  • I think the `auditd` option is the best one. – Mikhail Morfikov Feb 07 '19 at 17:55

0 Answers0