[Novalug] Finding PID That Is Querying DNS
Ben Creitz
creitz at gmail.com
Wed Oct 3 10:51:28 EDT 2007
On 10/3/07, Bernie Hoefer <LUG-Member at themoreiknow.info> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> gregory pryzby wrote:
> ===
> > The last number (.2003 and .53) are the ports
> >
> > 2003 cfinger
> > 53 domain (name-domain service)
> > /etc/services
> ===
> Thanks, I understand that the port numbers for the destination
> machine have meaning. (Seeing UDP traffic going to the name server on
> port its port 53 was one way I knew it was DNS traffic.) But for many
> applications on the source machine, the sending port is just some random
> port above 1024.
> So, I don't put much trust in just looking at the sending port and
> assuming that's the process doing the DNS querying. I've since rebooted
> the machine, and now the queries are coming from port 1025. (Besides,
> port 2003 isn't listed in OpenSuse 10.1's /etc/services.)
>
> I'm guessing these queries are coming from the multicast DNS daemon
> (mdnsd) since one of its functions if caching name queries. I'd like to
> know what command(s) I can use to prove that to myself, though, by
> outputting the PID of the process opening these connections.
How about checking your theory the other way around by looking at what
sockets mdnsd is opening?
lsof -p $(pid of mdnsd) -a -i
Ben
More information about the Novalug
mailing list