On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote: > but, last three one didn’t > > $ ~/bin/sock_decode 0200000036447A640000000000000000 > 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) > $ ~/bin/sock_decode 020000003644ECD00000000000000000 > 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) > $ ~/bin/sock_decode 02000000369520250000000000000000 > 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0) > > Would you check this out?
You didn't give the events, but rather the sockaddr field alone. Port 0 is valid in some uses. It mean give me an ephemeral port. http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90 90 /* Obtain a reference to a local port for the given sock, 91 * if snum is zero it means select any available local port. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
