Hi,I've written a kernel module that logs all socket connection attempts. That is done with the help of LSM hooks. What I can see now is that the kernel is connecting to some 100. and 101. ip addresses many times:
... socket_connect: 1.0.0.0:0 -> 100.119.112.45:106 socket_connect: 1.0.0.0:0 -> 101.118.47.115:12132 ...What is the source ip 1.0.0.0? All other user initiated connections (e.g. browser) have the ip address 0.0.0.0. Some times with zero or non-zero port. And where do these 100./101. addresses end? I assume that this are in-kernel sockets used for IPC but I'm not sure.
A user initiated connection looks as follows: ... socket_connect: 0.0.0.0:43659 -> 10.0.2.3:53 //DNS socket_connect: 0.0.0.0:0-> 74.125.77.95:0 // Src-Port and Dst-Port are 0? ... Thanks Yves
smime.p7s
Description: S/MIME Cryptographic Signature
