-1

Is it possible to check which application is requesting specific port in a debian server? I'm getting a ton of these in iptraf:

x x UDP (77 bytes) from 172.16.0.2:25748 to 212.59.1.1:53 on eth0
x x UDP (105 bytes) from 212.59.1.1:53 to 172.16.0.2:25748 on eth0
x x UDP (77 bytes) from 172.16.0.2:15956 to 212.59.1.1:53 on eth0
x x UDP (93 bytes) from 212.59.1.1:53 to 172.16.0.2:15956 on eth0
x x UDP (77 bytes) from 172.16.0.2:64869 to 212.59.1.1:53 on eth0
x x UDP (105 bytes) from 212.59.1.1:53 to 172.16.0.2:64869 on eth0
x x UDP (77 bytes) from 172.16.0.2:27489 to 212.59.1.1:53 on eth0
x x UDP (93 bytes) from 212.59.1.1:53 to 172.16.0.2:27489 on eth0
x x UDP (77 bytes) from 172.16.0.2:32834 to 212.59.1.1:53 on eth0
x x UDP (105 bytes) from 212.59.1.1:53 to 172.16.0.2:32834 on eth0
x x UDP (77 bytes) from 172.16.0.2:31633 to 212.59.1.1:53 on eth0
x x UDP (93 bytes) from 212.59.1.1:53 to 172.16.0.2:31633 on eth0
x x UDP (55 bytes) from 172.16.0.2:31892 to 212.59.1.1:53 on eth0
x x UDP (83 bytes) from 212.59.1.1:53 to 172.16.0.2:31892 on eth0

172.16.0.2 is the internal IP (using dummy package) of virtual machine inside xen (which I'm monitoring right now - this snippet is from 172.16.0.2 machine), 212.59.1.1 is my ISP DNS server.

Is it possible to see which application/PID is making these requests? Or is this a normal behaviour? Investigating this because I might be flooding myself by those request, even losing my network connectivity.

YOhan
  • 101
  • Without timing info it's impossible to say whether this is normal or not. If this is over a period of time then certainly not a problem; if this is subsecond logging which continues on and on then I'd be worried. – wurtel Dec 08 '14 at 09:39

1 Answers1

0

ss -neopa will tell you what has a port open at a given time.

However, with such short-lived connections, it can be hard to catch this.

You probably want to use auditd to monitor socket calls, then look at what UID/PID/PPID is opening sockets.

This is already answered here: how i can identify which process is making UDP traffic on linux?

suprjami
  • 3,476
  • 20
  • 29