On Wednesday 01 August 2007 14:09, Bill wrote: > I'm generating spurious DNS requests from a > variety of (closed) ephemeral ports. By the time I identify > the port with tcpdump or snort or ethereal the request has > been made, answered and the port closed. So I'd like to > trace the connection back to its source program/process. > The necessary info isn't present in a pcap dump. So what > else is there? Any alternative approaches? Any suggestions > welcome.
Assuming it's not just Bind querying from random ports, try blocking incoming DNS replies to non-Bind ports so that the processes hang around waiting for the replies. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
