| 1 |
On Fri, Jan 20, 2012 at 5:32 PM, Grant <emailgrant@×××××.com> wrote: |
| 2 |
>>> >> My firewall is blocking periodic outbound connections to port 3680 on |
| 3 |
>>> >> a Rackspace IP. How can I find out more about what's going on? Maybe |
| 4 |
>>> >> which program is generating the connection requests? |
| 5 |
>>> > |
| 6 |
>>> > Uh, a packet sniffer? |
| 7 |
>>> > |
| 8 |
>>> > I have an old laptop here that I have a second (cardbus) network card in. |
| 9 |
>>> > Really cheap and cheerful - the sort of thing you can pick up on |
| 10 |
>>> > freecycle. It's been a while since I've done anything like this, but you |
| 11 |
>>> > should be able to stick a box like that between the router and the rest |
| 12 |
>>> > of your network, run Wireshark and filter on that port. If the |
| 13 |
>>> > connection is encrypted then at least you'll see the originating IP. |
| 14 |
>>> |
| 15 |
>>> I've actually got the originating local IP from the shorewall log. |
| 16 |
>>> I'm just trying to figure out which program and maybe which user on |
| 17 |
>>> that system is generating the outbound requests to port 3680. Is |
| 18 |
>>> there any way to get more info without setting up a new box? |
| 19 |
>>> |
| 20 |
>>> > I don't think it's relevant that the IP belongs to Rackspace - don't they |
| 21 |
>>> > just hire (virtual) servers to anyone that wants one? |
| 22 |
>>> |
| 23 |
>>> Yeah I just meant the request could be going to "anyone". |
| 24 |
>>> |
| 25 |
>>> - Grant |
| 26 |
>> |
| 27 |
>> Are you running NPDS in your LAN and is it configured to access any sites on |
| 28 |
>> rackspace? |
| 29 |
>> -- |
| 30 |
>> Regards, |
| 31 |
>> Mick |
| 32 |
> |
| 33 |
> I am not running NPDS. I looked it up when I was researching port |
| 34 |
> 3680 and read about it for the first time. I know which machine is |
| 35 |
> making the requests. Any way to drill down further? |
| 36 |
|
| 37 |
If the machine is running linux, then 'watch "lsof -n|grep TCP|grep |
| 38 |
3680"' as root is a sloppy but effective way to find it. There's |
| 39 |
probably some way to set up a firewall rule on the host in question |
| 40 |
that logs out the user and (possibly) PID of the connection, but I |
| 41 |
don't know. |
| 42 |
|
| 43 |
If the machine is running Windows, then I'd suggest SysInternals |
| 44 |
TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 |
| 45 |
|
| 46 |
-- |
| 47 |
:wq |
Archives