请问如何看是哪个进程在发送数据包
时间:2014-10-07 16:14 来源:linux.it.net.cn 作者:it
[root@localhost ~]# netstat -an|grep ":80 "
[root@localhost ~]# tcpdump -n port 80 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:14:21.075065 IP 218.60.132.210.http > 202.96.155.153.5931: S 1783264581:1783264581(0) ack 617987055 win 17473
11:14:21.100084 IP 173.192.64.171.http > 202.96.155.19.49492: S 173134372:173134372(0) ack 695494683 win 17473
11:14:21.126288 IP 218.60.132.210.http > 202.96.155.153.47703: S 3329693809:3329693809(0) ack 1069703872 win 17473
11:14:21.130454 IP 218.60.132.210.http > 202.96.155.105.21879: S 888380972:888380972(0) ack 1464395311 win 17473
11:14:21.134882 IP 182.50.148.128.http > 202.96.155.154.47184: S 1513981031:1513981031(0) ack 2566593028 win 16384 <mss 1460>
11:14:21.139507 IP 174.127.72.126.http > 202.96.155.154.60956: S 3390026058:3390026058(0) ack 2261836456 win 17473
11:14:21.148721 IP 218.60.132.210.http > 202.96.155.105.10280: S 1690202333:1690202333(0) ack 1926073830 win 17473
11:14:21.295066 IP 173.193.25.244.http > 202.96.155.105.17927: S 248024764:248024764(0) ack 1415390271 win 17473
11:14:21.344014 IP 173.192.64.171.http > 202.96.155.19.45860: S 3287729140:3287729140(0) ack 1238471603 win 17473
11:14:21.390640 IP 218.60.132.210.http > 202.96.154.185.55157: S 2349845591:2349845591(0) ack 4196158787 win 17473
该服务器80端口没有跑任何服务,抓包结果看到其80port不断向外发送数据包,而且tcpdump结果中,左右的ip都不是此机器ip,故怀疑其伪装ip向外发送数据(src ip中还有国外ip),现在需要知道其从80端口发送数据的进程,请大家指点一下吧
补充 : lsof -i:80
,也没有输出,因为80端口全部发送的SYN数据包,而且三次握手都是没有建立成功的,否则lsof也可以看到进程名字
用 iptraf 里面第一项看下那个点的发包数过多,频繁
另外iftop -i eth0 -B -m -p 用这个监控下你的网卡出口和进口(-i 后面跟你的网络设备) (责任编辑:IT)
[root@localhost ~]# netstat -an|grep ":80 " [root@localhost ~]# tcpdump -n port 80 -c 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:14:21.075065 IP 218.60.132.210.http > 202.96.155.153.5931: S 1783264581:1783264581(0) ack 617987055 win 17473 11:14:21.100084 IP 173.192.64.171.http > 202.96.155.19.49492: S 173134372:173134372(0) ack 695494683 win 17473 11:14:21.126288 IP 218.60.132.210.http > 202.96.155.153.47703: S 3329693809:3329693809(0) ack 1069703872 win 17473 11:14:21.130454 IP 218.60.132.210.http > 202.96.155.105.21879: S 888380972:888380972(0) ack 1464395311 win 17473 11:14:21.134882 IP 182.50.148.128.http > 202.96.155.154.47184: S 1513981031:1513981031(0) ack 2566593028 win 16384 <mss 1460> 11:14:21.139507 IP 174.127.72.126.http > 202.96.155.154.60956: S 3390026058:3390026058(0) ack 2261836456 win 17473 11:14:21.148721 IP 218.60.132.210.http > 202.96.155.105.10280: S 1690202333:1690202333(0) ack 1926073830 win 17473 11:14:21.295066 IP 173.193.25.244.http > 202.96.155.105.17927: S 248024764:248024764(0) ack 1415390271 win 17473 11:14:21.344014 IP 173.192.64.171.http > 202.96.155.19.45860: S 3287729140:3287729140(0) ack 1238471603 win 17473 11:14:21.390640 IP 218.60.132.210.http > 202.96.154.185.55157: S 2349845591:2349845591(0) ack 4196158787 win 17473 该服务器80端口没有跑任何服务,抓包结果看到其80port不断向外发送数据包,而且tcpdump结果中,左右的ip都不是此机器ip,故怀疑其伪装ip向外发送数据(src ip中还有国外ip),现在需要知道其从80端口发送数据的进程,请大家指点一下吧 补充 : lsof -i:80 ,也没有输出,因为80端口全部发送的SYN数据包,而且三次握手都是没有建立成功的,否则lsof也可以看到进程名字 用 iptraf 里面第一项看下那个点的发包数过多,频繁 另外iftop -i eth0 -B -m -p 用这个监控下你的网卡出口和进口(-i 后面跟你的网络设备) (责任编辑:IT) |