From owner-freebsd-isp@FreeBSD.ORG  Thu May 22 04:22:40 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E2DE337B401
	for <freebsd-isp@freebsd.org>; Thu, 22 May 2003 04:22:40 -0700 (PDT)
Received: from mail.munk.nu (213-152-51-194.dsl.eclipse.net.uk
	[213.152.51.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 53E8D43F75
	for <freebsd-isp@freebsd.org>; Thu, 22 May 2003 04:22:40 -0700 (PDT)
	(envelope-from munk@mail.munk.nu)
Received: from munk by mail.munk.nu with local (Exim 4.20)
	id 19Io9f-0005tI-AP
	for freebsd-isp@freebsd.org; Thu, 22 May 2003 12:22:39 +0100
Date: Thu, 22 May 2003 12:22:39 +0100
From: Jez Hancock <jez.hancock@munk.nu>
To: FreeBSD ISP List <freebsd-isp@freebsd.org>
Message-ID: <20030522112239.GB22219@users.munk.nu>
Mail-Followup-To: FreeBSD ISP List <freebsd-isp@freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Sender: User Munk <munk@mail.munk.nu>
Subject: Determining what process/uid is attempting a network connection
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2003 11:22:41 -0000

Hi,

I have a large number of user processes (eggdrops) connected to numerous networks
and recently started noticing a number of connection attempts
outgoing to a reserved network address, 0.0.13.5.  My firewall logs
show:

May 21 00:00:22 users ipmon[62]: 00:00:21.557455 fxp0 @0:12 b 213.152.51.194,4138 -> 0.0.13.5,3333 PR tcp len 20 60 -S OUT 
May 21 00:00:22 users ipmon[62]: 00:00:21.557529 fxp0 @0:12 b 213.152.51.194,4139 -> 0.0.13.5,3334 PR tcp len 20 60 -S OUT 
May 21 00:00:22 users ipmon[62]: 00:00:21.557578 fxp0 @0:12 b 213.152.51.194,4140 -> 0.0.13.5,3335 PR tcp len 20 60 -S OUT 
May 21 00:00:22 users ipmon[62]: 00:00:21.557625 fxp0 @0:12 b 213.152.51.194,4141 -> 0.0.13.5,3336 PR tcp len 20 60 -S OUT 


How can I determine what process is spawning this connection attempt and
the uid of the process?

I use ipfw to analyze bandwidth on a per user basis, but I can't think
of a way to use ipfw to capture the kind of info I need in this instance.


Thanks in advance,
Jez