nethogs opening raw socket and seeing unidentified connection attempts
Binary package hint: nethogs
I got iptables log entries about access attempts to IPs (port 80) I could not identify as legitimate traffic.
(Unfortunately it seems iptables can filter by, but not log PIDs (or commands) by which local packets where generated, only --log-uid.)
Searching for the origin of the packets I found that the nethogs that was running had a socket open:
# netstat -epan --inet
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN 1003 110063 4901/firefox
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 7810 2387/cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 5328 1100/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 106 5245 1105/avahi-daemon:
udp 0 0 0.0.0.0:47387 0.0.0.0:* 106 5247 1105/avahi-daemon:
raw 0 0 0.0.0.0:1544 0.0.0.0:* 7 0 58580 4751/nethogs
The packets could come from nethogs or from another short running non UID 1003 process (which are allowed).
In any case I found it strange that nethogs has at all a socket on 0.0.0.0:1544 open.
I installed nethogs from the repositories and have not found any mention of this on the net or in the /usr documetation.
Question information
- Language:
- English Edit question
- Status:
- Expired
- For:
- Ubuntu nethogs Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
This question was originally filed as bug #492596.