I checked out with strings that I provided from the previous email. The first 3 ones gave me proper port numbers.
$ ~/bin/sock_decode 020000358A0F6C0B0000000000000000 020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568) $ ~/bin/sock_decode 0200006F8A0FA5090000000000000000 0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416) $ ~/bin/sock_decode 0200030B8A0FA5090000000000000000 0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819) but, last three one didn’t $ ~/bin/sock_decode 0200000036447A640000000000000000 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) $ ~/bin/sock_decode 020000003644ECD00000000000000000 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) $ ~/bin/sock_decode 02000000369520250000000000000000 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0) Would you check this out? /Kangkook > On Mar 30, 2016, at 7:29 PM, Steve Grubb <[email protected]> wrote: > > On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote: >> If I understood correctly, connect() should return error when sin_port field >> is set with '0'. Would anyone explain this to me or help me with fix this >> problem? > > I get 779 as the port from your event. > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
