Don't know what this is, but I'd be curious to know: 1) What is the address family and protocol of these connections?
2) Are the destination addresses fairly consistent over time, or do they jump around randomly? (ie, are you sure these are valid and not just initialized randomness resulting from misinterpreting something that is not AF_INET IP traffic?) 3) What do you see if you build and install the same module on an ordinary desktop linux? 3b) What if you do this in a virtual machine and run tcp dump on the host... do you see real traffic? 4) What gets sent? On Oct 29, 3:24 pm, Yves Langisch <[email protected]> wrote: > Hi, > > I've written a kernel module that logs all socket connection attempts. > That is done with the help of LSM hooks. What I can see now is that the > kernel is connecting to some 100. and 101. ip addresses many times: > > ... > socket_connect: 1.0.0.0:0 -> 100.119.112.45:106 > socket_connect: 1.0.0.0:0 -> 101.118.47.115:12132 > ... > > What is the source ip 1.0.0.0? All other user initiated connections > (e.g. browser) have the ip address 0.0.0.0. Some times with zero or > non-zero port. And where do these 100./101. addresses end? I assume that > this are in-kernel sockets used for IPC but I'm not sure. > > A user initiated connection looks as follows: > > ... > socket_connect: 0.0.0.0:43659 -> 10.0.2.3:53 //DNS > socket_connect: 0.0.0.0:0-> 74.125.77.95:0 // Src-Port and Dst-Port are 0? > ... > > Thanks > Yves > > smime.p7s > 6KViewDownload -- unsubscribe: [email protected] website: http://groups.google.com/group/android-kernel
