Capture pid of process using port 6881 only once every 15 min

Question

I can see from a tcpdump that an internal linux server is trying to contact an outside computer approximately every 15 min: one udp-packet on port 6881 (bittorrent), that's all.

As this server isn't supposed to contact anyone, I want to find out what evil soul generated this packet, i.e. I need some information about the process (e.g. pid, file, ...).

Because the timespan is so short, I can't use netstat or lsof.

The process is likely to be active about half of a microsecond, then it gets a destination unreachable (port unreachable) from firewall.

I have ssh access to the machine.

How can I capture network packets per PID? suggests to use the tcpdump option -k, however, linux tcpdump has no such option.

Maybe have a look at the HoneProject? https://github.com/HoneProject/Linux-Sensor — Christopher Maynard, May 07 '18 at 15:18

score 1 · Accepted Answer · answered May 08 '18 at 12:56

You can't do this with TCPDump, obviously, but you can do this from the host itself. Especially since it's UDP with no state, and since you can't predict when the process will be listening, you should look into using the kernel audit capabilities. For example:

 auditctl -a exit,always -F arch=b64 -F a0=2 -F a1\&=2 -S socket -k SOCKET

This instructs the kernel to generate an audit event whenever there is a socket call. With this done, you can then wait until you see the suspicious packet leave the machine and then use ausearch to track down not only the process, but the binary that made the call.

Capture pid of process using port 6881 only once every 15 min

1 Answers1