On Fri, Jan 20, 2012 at 5:32 PM, Grant <emailgr...@gmail.com> wrote: >>> >> My firewall is blocking periodic outbound connections to port 3680 on >>> >> a Rackspace IP. How can I find out more about what's going on? Maybe >>> >> which program is generating the connection requests? >>> > >>> > Uh, a packet sniffer? >>> > >>> > I have an old laptop here that I have a second (cardbus) network card in. >>> > Really cheap and cheerful - the sort of thing you can pick up on >>> > freecycle. It's been a while since I've done anything like this, but you >>> > should be able to stick a box like that between the router and the rest >>> > of your network, run Wireshark and filter on that port. If the >>> > connection is encrypted then at least you'll see the originating IP. >>> >>> I've actually got the originating local IP from the shorewall log. >>> I'm just trying to figure out which program and maybe which user on >>> that system is generating the outbound requests to port 3680. Is >>> there any way to get more info without setting up a new box? >>> >>> > I don't think it's relevant that the IP belongs to Rackspace - don't they >>> > just hire (virtual) servers to anyone that wants one? >>> >>> Yeah I just meant the request could be going to "anyone". >>> >>> - Grant >> >> Are you running NPDS in your LAN and is it configured to access any sites on >> rackspace? >> -- >> Regards, >> Mick > > I am not running NPDS. I looked it up when I was researching port > 3680 and read about it for the first time. I know which machine is > making the requests. Any way to drill down further?
If the machine is running linux, then 'watch "lsof -n|grep TCP|grep 3680"' as root is a sloppy but effective way to find it. There's probably some way to set up a firewall rule on the host in question that logs out the user and (possibly) PID of the connection, but I don't know. If the machine is running Windows, then I'd suggest SysInternals TCPView: http://technet.microsoft.com/en-us/sysinternals/bb897437 -- :wq
