Debian: Find unknown process pinging ip on old subnet after subnet change

Question

I changed my network subnet from 192.168.1.0 to 10.10.10.0, but some rogue process is trying to hit port 9100 on 192.168.1.145

I have tried sudo lsof -n | grep TCP | grep 9100 with no luck.
I have also tried sudo netstat -nlpt | grep 192.168.1.145 without luck.
My conclusion is that this isn't working because of the fact that the connection is not being established.

Besides waitig for a complete search for the ip in all files (sudo grep -Ril -e ´192.168.1.145´ * 2>/dev/null) to finish, or setting up some sort of dummy nic/ or a nc and route to let it connect to, what else can I do to find the process causing this.

I have checked that cups is not installed.

Update

It turned out i had misread the IP and it was an old printer installed on a windows machine. uninstalling that fixed it

port 9100 is usually Prometheus node exporter or HP JetDirect printers — AlexD, Dec 20 '21 at 15:08
I'm aware of that. it is the old ip of my printer, which is now `10.10.10.145` — Jonas Stumph Stevnsvig, Dec 20 '21 at 15:18
does this answers your questions: https://serverfault.com/questions/352259/finding-short-lived-tcp-connections-owner-process — kofemann, Dec 20 '21 at 15:37
Please don't edit your answer into the question. Post it as an answer instead and accept it when you are allowed to do so. Otherwise the question will stay in the system as unsolved forever. — Gerald Schneider, Dec 21 '21 at 09:01
@GeraldSchneider I have rephrased it and posted the solution as an answer. i originally posted it as an update since i didn't see it working,. — Jonas Stumph Stevnsvig, Dec 21 '21 at 13:18

Jonas Stumph Stevnsvig · Answer 1 · 2021-12-21T14:35:31.660

Based on the answer(s) here: https://serverfault.com/a/352275/246640 (tip from the comments)

Running

while true;do
   ss dst 192.168.1.145 -ntap  '( dport = :9100 )' | grep 145;
   sleep 1; 
done

Will make sure to show only a line when a packet is sent to that IP and port...

This diverges from the linked answer in that it shows non-established connections instead of established connections.

To verify that it works:

Run this in a different terminal: curl 192.168.145:9100 it show up in the output:

State                  Recv-Q                Send-Q                               Local Address:Port                                 Peer Address:Port
SYN-SENT               0                     1                                     10.10.10.240:59494                               192.168.1.145:9100                users:(("curl",pid=25945,fd=3))

Debian: Find unknown process pinging ip on old subnet after subnet change

Update

1 Answers1

To verify that it works: