Anonymous
2013-10-31 18:08:58 UTC
Generally, this is how connections can be associated with processes:
$ netstat -atunp
tcp 0 0 127.0.0.1:9050 127.0.0.1:62569 ESTABLISHED 2168/tor
tcp 0 0 127.0.0.1:50595 127.0.0.1:9050 ESTABLISHED 4074/firefox
tcp 0 0 127.0.0.1:9050 127.0.0.1:62568 TIME_WAIT -
tcp 0 0 127.0.0.1:9050 127.0.0.1:50559 ESTABLISHED 2168/tor
tcp 0 0 127.0.0.1:51501 127.0.0.1:9050 ESTABLISHED 4074/thunderbird
tcp 0 0 127.0.0.1:49579 127.0.0.1:16667 ESTABLISHED 3087/mirc
Notice that some apps are simply "tor". How can the tor connections
be traced to the local application?
Suppose Snort reports an attack on port 51346. Netstat and lsof shows:
$ netstat -atunp | grep 51346
tcp 0 586 198.162.1.1:51346 78.41.115.145:9001 ESTABLISHED 2168/tor
$ lsof | grep 51346
tor 2168 debian-tor 20u IPv4 10667 0t0 TCP localhost:51346->78.41.115.145:9001 (ESTABLISHED)
Although some connections can be traced to a local application, this
particular case does not. How can I find out which local process is
connecting to tor?
$ netstat -atunp
tcp 0 0 127.0.0.1:9050 127.0.0.1:62569 ESTABLISHED 2168/tor
tcp 0 0 127.0.0.1:50595 127.0.0.1:9050 ESTABLISHED 4074/firefox
tcp 0 0 127.0.0.1:9050 127.0.0.1:62568 TIME_WAIT -
tcp 0 0 127.0.0.1:9050 127.0.0.1:50559 ESTABLISHED 2168/tor
tcp 0 0 127.0.0.1:51501 127.0.0.1:9050 ESTABLISHED 4074/thunderbird
tcp 0 0 127.0.0.1:49579 127.0.0.1:16667 ESTABLISHED 3087/mirc
Notice that some apps are simply "tor". How can the tor connections
be traced to the local application?
Suppose Snort reports an attack on port 51346. Netstat and lsof shows:
$ netstat -atunp | grep 51346
tcp 0 586 198.162.1.1:51346 78.41.115.145:9001 ESTABLISHED 2168/tor
$ lsof | grep 51346
tor 2168 debian-tor 20u IPv4 10667 0t0 TCP localhost:51346->78.41.115.145:9001 (ESTABLISHED)
Although some connections can be traced to a local application, this
particular case does not. How can I find out which local process is
connecting to tor?