[Novalug] Finding PID That Is Querying DNS

Ben Creitz creitz at gmail.com
Wed Oct 3 12:17:32 EDT 2007 

On 10/3/07, Bernie Hoefer <LUG-Member at themoreiknow.info> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>      Hello.  I'm wondering how I might find which process is performing
> hostname lookups from my OpenSuSE 10.1 workstation.
>      I noticed that my workstation is, about every 15 seconds, querying
> hostnames.  I shutdown all the programs (browser, OpenOffice, etc.) I
> was using.  I then only had some Konsole windows open, yet DNS queries
> are still coming from my workstation.  Here is a TCP dump:
>
> ===
> > workstation:~ # tcpdump -n dst host 192.168.1.1 port 53
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> > 23:07:31.749288 IP 192.168.1.2.2003 > 192.168.1.1.53:  14714+ AAAA? tags.expo9.exponential.com. (44)
> > 23:07:31.768688 IP 192.168.1.2.2003 > 192.168.1.1.53:  14714+ AAAA? tags.expo9.exponential.com. (44)
> > 23:07:31.785868 IP 192.168.1.2.2003 > 192.168.1.1.53:  46759+ A? tags.expo9.exponential.com. (44)
> > 23:07:31.804787 IP 192.168.1.2.2003 > 192.168.1.1.53:  46759+ A? tags.expo9.exponential.com. (44)
> > 23:07:31.824754 IP 192.168.1.2.2003 > 192.168.1.1.53:  56575+ AAAA? view.atdmt.com. (32)
> > 23:07:31.841642 IP 192.168.1.2.2003 > 192.168.1.1.53:  56575+ AAAA? view.atdmt.com. (32)
> > 23:07:31.860692 IP 192.168.1.2.2003 > 192.168.1.1.53:  4054+ A? view.atdmt.com. (32)
> > 23:07:31.878834 IP 192.168.1.2.2003 > 192.168.1.1.53:  4054+ A? view.atdmt.com. (32)
> > 23:07:31.899762 IP 192.168.1.2.2003 > 192.168.1.1.53:  13455+ AAAA? a.tribalfusion.com. (36)
> > 23:07:31.922340 IP 192.168.1.2.2003 > 192.168.1.1.53:  13455+ AAAA? a.tribalfusion.com. (36)
> > 23:07:31.942765 IP 192.168.1.2.2003 > 192.168.1.1.53:  38090+ A? a.tribalfusion.com. (36)
> > 23:07:31.967625 IP 192.168.1.2.2003 > 192.168.1.1.53:  38090+ A? a.tribalfusion.com. (36)
> > 23:07:31.987984 IP 192.168.1.2.2003 > 192.168.1.1.53:  24+ AAAA? farm1.static.flickr.com. (41)
> > 23:07:32.011748 IP 192.168.1.2.2003 > 192.168.1.1.53:  24+ AAAA? farm1.static.flickr.com. (41)
> > 23:07:32.031846 IP 192.168.1.2.2003 > 192.168.1.1.53:  35889+ A? farm1.static.flickr.com. (41)
> > 23:07:32.052770 IP 192.168.1.2.2003 > 192.168.1.1.53:  35889+ A? farm1.static.flickr.com. (41)
> > 23:07:32.073345 IP 192.168.1.2.2003 > 192.168.1.1.53:  43132+ AAAA? a.rad.live.com. (32)
> > 23:07:32.092727 IP 192.168.1.2.2003 > 192.168.1.1.53:  43132+ AAAA? a.rad.live.com. (32)
> > 23:07:32.112605 IP 192.168.1.2.2003 > 192.168.1.1.53:  8399+ A? a.rad.live.com. (32)
> > 23:07:32.134714 IP 192.168.1.2.2003 > 192.168.1.1.53:  8399+ A? a.rad.live.com. (32)
> > 23:07:32.154698 IP 192.168.1.2.2003 > 192.168.1.1.53:  35674+ AAAA? login.passport.net. (36)
> > 23:07:32.176756 IP 192.168.1.2.2003 > 192.168.1.1.53:  35674+ AAAA? login.passport.net. (36)
> > 23:07:32.196773 IP 192.168.1.2.2003 > 192.168.1.1.53:  32425+ A? login.passport.net. (36)
> > 23:07:32.216748 IP 192.168.1.2.2003 > 192.168.1.1.53:  32425+ A? login.passport.net. (36)
> > 23:07:32.237558 IP 192.168.1.2.2003 > 192.168.1.1.53:  32523+ AAAA? ad.interclick.com. (35)
> > 23:07:32.256743 IP 192.168.1.2.2003 > 192.168.1.1.53:  32523+ AAAA? ad.interclick.com. (35)
> > 23:07:32.276732 IP 192.168.1.2.2003 > 192.168.1.1.53:  17288+ A? ad.interclick.com. (35)
> > 23:07:32.299140 IP 192.168.1.2.2003 > 192.168.1.1.53:  17288+ A? ad.interclick.com. (35)
> > 23:07:32.318846 IP 192.168.1.2.2003 > 192.168.1.1.53:  43277+ AAAA? h.msn.com. (27)
> > 23:07:32.349845 IP 192.168.1.2.2003 > 192.168.1.1.53:  43277+ AAAA? h.msn.com. (27)
> > 23:07:32.378196 IP 192.168.1.2.2003 > 192.168.1.1.53:  16315+ A? h.msn.com. (27)
> > 23:07:32.396733 IP 192.168.1.2.2003 > 192.168.1.1.53:  16315+ A? h.msn.com. (27)
> > 23:07:32.416739 IP 192.168.1.2.2003 > 192.168.1.1.53:  55758+ AAAA? h.live.com. (28)
> > 23:07:32.436716 IP 192.168.1.2.2003 > 192.168.1.1.53:  55758+ AAAA? h.live.com. (28)
> > 23:07:32.456765 IP 192.168.1.2.2003 > 192.168.1.1.53:  35730+ A? h.live.com. (28)
> > 23:07:32.476708 IP 192.168.1.2.2003 > 192.168.1.1.53:  35730+ A? h.live.com. (28)
> > 23:07:32.496768 IP 192.168.1.2.2003 > 192.168.1.1.53:  20489+ AAAA? rad.live.com. (30)
> > 23:07:32.516714 IP 192.168.1.2.2003 > 192.168.1.1.53:  20489+ AAAA? rad.live.com. (30)
> > 23:07:32.536039 IP 192.168.1.2.2003 > 192.168.1.1.53:  30467+ A? rad.live.com. (30)
> > 23:07:32.558950 IP 192.168.1.2.2003 > 192.168.1.1.53:  30467+ A? rad.live.com. (30)
> > 23:07:32.579745 IP 192.168.1.2.2003 > 192.168.1.1.53:  62087+ AAAA? ad.yieldmanager.com. (37)
> > 23:07:32.603030 IP 192.168.1.2.2003 > 192.168.1.1.53:  62087+ AAAA? ad.yieldmanager.com. (37)
> > 23:07:32.622473 IP 192.168.1.2.2003 > 192.168.1.1.53:  23660+ A? ad.yieldmanager.com. (37)
> > 23:07:32.644724 IP 192.168.1.2.2003 > 192.168.1.1.53:  23660+ A? ad.yieldmanager.com. (37)
> > 23:07:32.664610 IP 192.168.1.2.2003 > 192.168.1.1.53:  11533+ AAAA? www.sphere.com. (32)
> > 23:07:32.687092 IP 192.168.1.2.2003 > 192.168.1.1.53:  11533+ AAAA? www.sphere.com. (32)
> > 23:07:32.706451 IP 192.168.1.2.2003 > 192.168.1.1.53:  24941+ A? www.sphere.com. (32)
> > 23:07:32.731240 IP 192.168.1.2.2003 > 192.168.1.1.53:  24941+ A? www.sphere.com. (32)
> > 23:07:32.750181 IP 192.168.1.2.2003 > 192.168.1.1.53:  53596+ AAAA? b.rad.live.com. (32)
> > 23:07:32.771247 IP 192.168.1.2.2003 > 192.168.1.1.53:  53596+ AAAA? b.rad.live.com. (32)
> > 23:07:32.789780 IP 192.168.1.2.2003 > 192.168.1.1.53:  63005+ A? b.rad.live.com. (32)
> > 23:07:32.811612 IP 192.168.1.2.2003 > 192.168.1.1.53:  63005+ A? b.rad.live.com. (32)
> > 23:07:32.831475 IP 192.168.1.2.2003 > 192.168.1.1.53:  28455+ AAAA? api.maps.yahoo.com. (36)
> > 23:07:32.852738 IP 192.168.1.2.2003 > 192.168.1.1.53:  28455+ AAAA? api.maps.yahoo.com. (36)
> > 23:07:32.872216 IP 192.168.1.2.2003 > 192.168.1.1.53:  14490+ A? api.maps.yahoo.com. (36)
> > 23:07:32.892742 IP 192.168.1.2.2003 > 192.168.1.1.53:  14490+ A? api.maps.yahoo.com. (36)
> >
> > 84 packets captured
> > 168 packets received by filter
> > 0 packets dropped by kernel
> ===
>
>      For connections that are established and active, I'd normally use
> netstat to see the process ID (PID).  However, that didn't work.  It
> shows the connection, but doesn't list the PID.
>
> ===
> > workstation:~ # netstat -npcuve
> > Active Internet connections (w/o servers)
> > Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
> > udp        0      0 192.168.1.2:2038        192.168.1.1:53          ESTABLISHED 0          1993246    -
> ===

Is it true that we don't know from the tcpdump output whether those
DNS messages are TCP or UDP, and that it is possible that DNS queries
could be either?

I realize that we still have the mystery of the UDP netstat example
you showed us *not* showing the PID, but maybe we'd see more if you
generalized the netstat call to include  TCP, too.

Ben

More information about the Novalug mailing list