I want to identify the application trat triggers network traffic like the one below.
I have dissabled ethernet and wireless cards, and denied incoming traffic in firewall.
$ sudo tcpdump -vv -e -A -i any
04:26:45.584729 in 00:00:00:00:00:00 (oui Ehernet) ethertype IPv6 (0x97dd), lenght 96: (flowlabel 0x745b5, hlim 64, next-header TCP (6) payload length: 20) ip6-localhost.58579 > ip6-localhost.ipp: Flags [S], cksum 0x0040 (incorrect -> 0x2cd0), seq 2165813293, win 76587, options [mss 76587,sackOK,TS val 2750260918 ecr 0,nop,wscale 7], lenght 0
`.. .(.@..........................w"h...........0..............
..........
04:26:45.584841 in 00:00:00:00:00:00 (oui Ethernet) ethertype IPv6 (0x97dd), lenght 76: (flowlabel 0xe55e5, hlim 64, next-header TCP (6) payload length: 20) ip6-localhost.ipp > ip6-localhost.58579: Flags [R,], cksum 0x002c (incorrect -> 0x0f41), seq 0, ack 2165813294, win 0, lenght 0
`.Z....@................................w......"h..P........
04:26:45.585170 in 00:00:00:00:00:00 (oui Ethernet) ethertype IPv4 (0x0900), lenght 76: (tos 0x0, ttl 64, id 1651, offset 0, flags[DF], proto TCP (6), length 60)
localhost.55349 > localhost.ipp: Flags [S], cksum 0xfe41 (incorrect -> 0x5293), seq 312304068, win 76506, options [mss 76504,sackOK,TS val 993195917 ecr 0,nop,wscale 7], lenght 0
E.j*@.@............w
..%..........0..........
(............
04:26:45.585274 in 00:00:00:00:00:00 (oui Ethernet) ethertype IPv4 (0x900), lenght 56: (tos 0x0, ttl 64, id 0, offset 0, flags[DF], proto TCP (6), length 40)
localhost.ipp > localhost.55349: Flags [R,], cksum 0x5a0d (correct), seq 0, ack 312304069, win 0, lenght 0
E../(..@.@<..............w........
..&P........
Traffic like this is triggered every 30 minutes. I checked the cron log, and none of the entries matches the timestamp of packets.
Although I lsof -i
right after the terminal outputs another batch of traffic, the ports from the dump are no listed. Same thing with command ss
.
I researched localhost.ipp
, and found something about the priting service. But my cups scheduler is disabled and masked.