Thanks. I'm new, so did not realize PIDs are randomly numbered, which is fantastic. Just for a fleeting moment I thought I wasn't going to be lonely, with Theo's shell lurking in the background.
On Tue, Mar 5, 2024 at 8:30 PM Raul Miller <rauldmil...@gmail.com> wrote: > > If you want to track which executable was running which pid at a > specific time, you need to put that information in a log, so you can > associate pid and time with the executable path. > > -- > Raul > > On Tue, Mar 5, 2024 at 10:26 AM ofthecentury <ofthecent...@gmail.com> wrote: > > > > Well, that's not very noice. Where is security? > > > > On Tue, Mar 5, 2024 at 7:45 PM Theo de Raadt <dera...@openbsd.org> wrote: > > > > > PID 6504 was my shell. I've logged off now. > > > > > > What are you expecting here?? > > > > > > > > > ofthecentury <ofthecent...@gmail.com> wrote: > > > > > > > Yes, I'm tcdupming pflog and ALL my dropped packets > > > > reference some PID 6504 that is not found among > > > > the processes that are running. I was actually not fishing > > > > for PIDs, I just saw the PID referenced in the standard > > > > tcpdump output. For forensics I just want to find the link > > > > between PID referenced in tcpdump to the process, > > > > and I cannot, and I believe I should be able to for security. > > > > > > > > > > > > > > > > On Tue, Mar 5, 2024 at 7:12 PM Janne Johansson <icepic...@gmail.com> > > > wrote: > > > > > > > > > Den tis 5 mars 2024 kl 14:35 skrev ofthecentury < > > > ofthecent...@gmail.com>: > > > > > > > > > > > > Hi, I'm on a fresh install of OpenBSD 7.4. > > > > > > I am watching output of tcpdump and > > > > > > seeing some drops that all reference > > > > > > UID 0, pid 6504. I cannot find that PID > > > > > > among running processes. Does anyone > > > > > > know what is that process and why it's > > > > > > not running but tcpdump references it? > > > > > > > > > > OpenBSD has random pids, so unless you ask about pid 0 or 1, noone can > > > > > divine what process had pid 6504 on your system at that time. > > > > > > > > > > As for this report, it looks like you are tcpdumping pflog in order to > > > > > see "drops" with pids, but since you didn't mention what you ran, it's > > > > > hard to tell. Nor did you state how you looked for pids, perhaps not > > > > > using all the possible options? > > > > > > > > > > > > > > > -- > > > > > May the most significant bit of your life be positive. > > > > > > > >