[Novalug] Finding PID That Is Querying DNS
John Warren
jpwarren00 at gmail.com
Wed Oct 3 20:29:03 EDT 2007
Have you tried using a traffic trap? As in, grab an old machine, get two
ethernet ports working on it, create a level 2 bridge between the ports, run
tshark on the bridge, and plug the Open SuSE 10.1 workstation into the
bridge, and plug the other port on the bridge into the network.
This will give you an almost perfectly clear look at the traffic, even if
the SuSE box has a rootkit installed.
-John
On 10/3/07, Bernie Hoefer <LUG-Member at themoreiknow.info> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kevin Dwyer wrote:
> ===
> > Ah, in that case the kernel is most likely responsible. netstat run as
> > root will not show a PID for connections made by the kernel. (This is
> > easy to notice when you mount an NFS drive, for instance.)
> >
> > Now, I don't know which module exactly would do this or the best way to
> > track it down, but this should at least narrow your search.
> ===
> Hmmm. That's a good suggestion that the traffic might be coming from
> the kernel, itself. I'll have to research that. Thanks!
>
> - --
> Bernie Hoefer
> PGP e-mail is welcome! Get my 1024 bit signature key from:
> <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>.
> "The more I know, the more I realize how much I do not understand."
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFHA8NLckGmqURqb5MRAgdEAJ9nyS16UuZp9eVJsE0mHffmk82W0wCgksWo
> M2qgSUoTat4YGFeU5CCN7Hc=
> =+qkr
> -----END PGP SIGNATURE-----
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20071003/11f25715/attachment.html
More information about the Novalug
mailing list