On Fri, Jan 20, 2012 at 6:34 PM, Grant <emailgr...@gmail.com> wrote: >>>>> >> My firewall is blocking periodic outbound connections to port 3680 on >>>>> >> a Rackspace IP. How can I find out more about what's going on? Maybe >>>>> >> which program is generating the connection requests? >>>>> > >>>>> > Uh, a packet sniffer? >>>>> > >>>>> > I have an old laptop here that I have a second (cardbus) network card >>>>> > in. >>>>> > Really cheap and cheerful - the sort of thing you can pick up on >>>>> > freecycle. It's been a while since I've done anything like this, but you >>>>> > should be able to stick a box like that between the router and the rest >>>>> > of your network, run Wireshark and filter on that port. If the >>>>> > connection is encrypted then at least you'll see the originating IP. >>>>> >>>>> I've actually got the originating local IP from the shorewall log. >>>>> I'm just trying to figure out which program and maybe which user on >>>>> that system is generating the outbound requests to port 3680. Is >>>>> there any way to get more info without setting up a new box? >>>>> >>>>> > I don't think it's relevant that the IP belongs to Rackspace - don't >>>>> > they >>>>> > just hire (virtual) servers to anyone that wants one? >>>>> >>>>> Yeah I just meant the request could be going to "anyone". >>>>> >>>>> - Grant >>>> >>>> Are you running NPDS in your LAN and is it configured to access any sites >>>> on >>>> rackspace? >>>> -- >>>> Regards, >>>> Mick >>> >>> I am not running NPDS. I looked it up when I was researching port >>> 3680 and read about it for the first time. I know which machine is >>> making the requests. Any way to drill down further? >> >> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep >> 3680"' as root is a sloppy but effective way to find it. There's >> probably some way to set up a firewall rule on the host in question >> that logs out the user and (possibly) PID of the connection, but I >> don't know. > > All of my systems run Gentoo. :) Where does watch come from?
shortcircuit@saffron ~ $ equery b `which watch` /usr/lib64/portage/pym/portage/package/ebuild/config.py:353: UserWarning: 'cache.metadata_overlay.database' is deprecated: /etc/portage/modules (user_auxdbmodule, modules_file)) * Searching for /usr/bin/watch ... sys-process/procps-3.2.8_p11 (/usr/bin/watch) shortcircuit@saffron ~ $ Incidentally, does anyone know why all my portage-related executions get that 'cache.metadata_overlay.database' warning? I've been seeing it for weeks, even on fresh installs. I would have assumed a bug like that would have been fixed by now. -- :wq