From owner-freebsd-isp@FreeBSD.ORG Thu May 22 04:22:40 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2DE337B401 for ; Thu, 22 May 2003 04:22:40 -0700 (PDT) Received: from mail.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53E8D43F75 for ; Thu, 22 May 2003 04:22:40 -0700 (PDT) (envelope-from munk@mail.munk.nu) Received: from munk by mail.munk.nu with local (Exim 4.20) id 19Io9f-0005tI-AP for freebsd-isp@freebsd.org; Thu, 22 May 2003 12:22:39 +0100 Date: Thu, 22 May 2003 12:22:39 +0100 From: Jez Hancock To: FreeBSD ISP List Message-ID: <20030522112239.GB22219@users.munk.nu> Mail-Followup-To: FreeBSD ISP List Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Determining what process/uid is attempting a network connection X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2003 11:22:41 -0000 Hi, I have a large number of user processes (eggdrops) connected to numerous networks and recently started noticing a number of connection attempts outgoing to a reserved network address, 0.0.13.5. My firewall logs show: May 21 00:00:22 users ipmon[62]: 00:00:21.557455 fxp0 @0:12 b 213.152.51.194,4138 -> 0.0.13.5,3333 PR tcp len 20 60 -S OUT May 21 00:00:22 users ipmon[62]: 00:00:21.557529 fxp0 @0:12 b 213.152.51.194,4139 -> 0.0.13.5,3334 PR tcp len 20 60 -S OUT May 21 00:00:22 users ipmon[62]: 00:00:21.557578 fxp0 @0:12 b 213.152.51.194,4140 -> 0.0.13.5,3335 PR tcp len 20 60 -S OUT May 21 00:00:22 users ipmon[62]: 00:00:21.557625 fxp0 @0:12 b 213.152.51.194,4141 -> 0.0.13.5,3336 PR tcp len 20 60 -S OUT How can I determine what process is spawning this connection attempt and the uid of the process? I use ipfw to analyze bandwidth on a per user basis, but I can't think of a way to use ipfw to capture the kind of info I need in this instance. Thanks in advance, Jez