[Novalug] Finding PID That Is Querying DNS
Bernie Hoefer
LUG-Member at TheMoreIKnow.info
Wed Oct 3 10:10:23 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
gregory pryzby wrote:
===
> The last number (.2003 and .53) are the ports
>
> 2003 cfinger
> 53 domain (name-domain service)
> /etc/services
===
Thanks, I understand that the port numbers for the destination
machine have meaning. (Seeing UDP traffic going to the name server on
port its port 53 was one way I knew it was DNS traffic.) But for many
applications on the source machine, the sending port is just some random
port above 1024.
So, I don't put much trust in just looking at the sending port and
assuming that's the process doing the DNS querying. I've since rebooted
the machine, and now the queries are coming from port 1025. (Besides,
port 2003 isn't listed in OpenSuse 10.1's /etc/services.)
I'm guessing these queries are coming from the multicast DNS daemon
(mdnsd) since one of its functions if caching name queries. I'd like to
know what command(s) I can use to prove that to myself, though, by
outputting the PID of the process opening these connections.
Thanks!
- --
Bernie Hoefer
PGP e-mail is welcome! Get my 1024 bit signature key from:
<http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>.
"The more I know, the more I realize how much I do not understand."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFHA6LOckGmqURqb5MRAq82AKCX8b6p/ORxzpnPjXFOG5qVUMQ0BACfYJf3
wZ+XFrJr2QA+4zp4GFgkpg4=
=LzrD
-----END PGP SIGNATURE-----
More information about the Novalug
mailing list