From owner-freebsd-hackers@freebsd.org  Wed Feb 20 14:02:20 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7E1414F4EFF
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed, 20 Feb 2019 14:02:19 +0000 (UTC)
 (envelope-from bblister@gmail.com)
Received: from n6.nabble.com (n6.nabble.com [162.255.23.37])
 by mx1.freebsd.org (Postfix) with ESMTP id 866AB8278D
 for <freebsd-hackers@freebsd.org>; Wed, 20 Feb 2019 14:02:18 +0000 (UTC)
 (envelope-from bblister@gmail.com)
Received: from n6.nabble.com (localhost [127.0.0.1])
 by n6.nabble.com (Postfix) with ESMTP id 8DA8AC72DECD
 for <freebsd-hackers@freebsd.org>; Wed, 20 Feb 2019 07:02:17 -0700 (MST)
Date: Wed, 20 Feb 2019 07:02:17 -0700 (MST)
From: BBlister <bblister@gmail.com>
To: freebsd-hackers@freebsd.org
Message-ID: <1550671337578-0.post@n6.nabble.com>
In-Reply-To: <20190219220404.GA1668@troutmask.apl.washington.edu>
References: <1550610819543-0.post@n6.nabble.com>
 <CAOjFWZ7kJoa-_EVBrLUwLrs9J7ERWqkRf4bZh_giQ4-NRrGS_w@mail.gmail.com>
 <7b44b3ce-9b96-e91b-b9ca-57100c784db7@sentex.net>
 <20190219220404.GA1668@troutmask.apl.washington.edu>
Subject: Re: userland process rpc.lockd opens untraceable ports...is
 something wrong here?
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 866AB8278D
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org;
 dmarc=fail reason="" header.from=gmail.com (policy=none);
 spf=softfail (mx1.freebsd.org: 162.255.23.37 is neither permitted nor denied
 by domain of bblister@gmail.com) smtp.mailfrom=bblister@gmail.com
X-Spamd-Result: default: False [2.64 / 15.00]; ARC_NA(0.00)[];
 FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
 TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.70)[0.697,0];
 SUBJECT_ENDS_QUESTION(1.00)[];
 NEURAL_SPAM_SHORT(0.37)[0.366,0];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 NEURAL_SPAM_LONG(0.35)[0.345,0];
 RCVD_IN_DNSWL_NONE(0.00)[37.23.255.162.list.dnswl.org : 127.0.10.0];
 IP_SCORE(0.14)[ip: (0.59), ipnet: 162.255.20.0/22(0.15), asn: 21624(0.04),
 country: US(-0.07)]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:21624, ipnet:162.255.20.0/22, country:US];
 RCVD_COUNT_TWO(0.00)[2]; FREEMAIL_ENVFROM(0.00)[gmail.com];
 DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 14:02:20 -0000

After one suggestion on the questions list,  I used the rpcinfo -p but this
does not print every unknown port. For example:

# netstat -an | grep -E '874|815' 
tcp4       0      0 *.815                  *.*                    LISTEN 
tcp6       0      0 *.874                  *.*                    LISTEN 

sockstat reports ? 
# sockstat | grep -E '874|815' 
?        ?          ?     ?  tcp4   *:815                 *:* 
?        ?          ?     ?  tcp6   *:874                 *:* 

rpcinfo -p reports just one port 
# rpcinfo -p| grep -E '874|815' 
    100021    0   tcp    815  nlockmgr 
    100021    1   tcp    815  nlockmgr 
    100021    3   tcp    815  nlockmgr 
    100021    4   tcp    815  nlockmgr 


The 874/tcp6 which belongs to rpc.lockd does not appear on this list. 
Is rpcinfo only for IPv4 and if yes,what tool do I use for IPv6 ? 





The grand question is of course, is there any tool to actually locate the
processes that open ports and cannot be identified with sockstat? 

The second grand question. Why rpc.lockd is a different kind of process that
cannot be located from sockstat? Other RPC processes are found using
sockstat, as the following printing shows:

# rpcinfo -p | grep 2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs


sockstat |grep 2049
root     nfsd       41279 5  tcp4   *:2049                *:*
root     nfsd       41279 6  tcp6   *:2049                *:*


nfs is found using rpcinfo and also using sockstat.

What rpc.lockd does and it is not found. After 25 years of sysadmin, I find
it very strange for Freebsd to not being able to trace a listening port to
an executable.



--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-hackers-f4034256.html