[Novalug] Finding PID That Is Querying DNS
Bernie Hoefer
LUG-Member@TheMoreIKnow.info
Wed Oct 3 11:10:56 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ben Creitz wrote:
===
> How about checking your theory the other way around by looking at what
> sockets mdnsd is opening?
>
> lsof -p $(pid of mdnsd) -a -i
===
Well, I guess I could do that. I'd rather have a way to just
output the PID of the process sending the network data instead of
guessing which process it might be and then watching them.
Maybe it is not mdnsd doing it. I just tried the above, and it
doesn't show open sockets that correspond to the tcpdump data I'm
seeing. (As of this writing, the name queries are coming from port 1033
on my workstation.)
###
> workstation:~ # lsof -p 2944 -a -r 1 -n -P
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> mdnsd 2944 mdnsd cwd DIR 8,2 4096 129251 /var/lib/mdnsd
> mdnsd 2944 mdnsd rtd DIR 8,2 4096 129251 /var/lib/mdnsd
> mdnsd 2944 mdnsd txt REG 8,2 174520 436599 /usr/sbin/mdnsd
> mdnsd 2944 mdnsd mem REG 0,0 0 [heap] (stat: No such file or directory)
> mdnsd 2944 mdnsd mem REG 8,2 42109 240086 /lib/libnss_files-2.4.so
> mdnsd 2944 mdnsd mem REG 8,2 87850 240080 /lib/libnsl-2.4.so
> mdnsd 2944 mdnsd mem REG 8,2 1404242 240069 /lib/libc-2.4.so
> mdnsd 2944 mdnsd mem REG 8,2 41986 240090 /lib/libnss_nis-2.4.so
> mdnsd 2944 mdnsd mem REG 8,2 31943 240082 /lib/libnss_compat-2.4.so
> mdnsd 2944 mdnsd mem REG 8,2 124463 244265 /lib/ld-2.4.so
> mdnsd 2944 mdnsd 0u CHR 1,3 2151 /dev/null
> mdnsd 2944 mdnsd 1u CHR 1,3 2151 /dev/null
> mdnsd 2944 mdnsd 2u CHR 1,3 2151 /dev/null
> mdnsd 2944 mdnsd 3u IPv4 7768 UDP *:32768
> mdnsd 2944 mdnsd 4u IPv4 7772 UDP *:5353
> mdnsd 2944 mdnsd 5r REG 8,2 1269 500391 /etc/resolv.conf
> mdnsd 2944 mdnsd 6u sock 0,4 7773 can't identify protocol
> mdnsd 2944 mdnsd 7u unix 0xd64dbe20 7775 /var/run/mdnsd
> mdnsd 2944 mdnsd 8r REG 8,2 1269 500391 /etc/resolv.conf
> =======
###
Thanks for your suggestion, though!
- --
Bernie Hoefer
PGP e-mail is welcome! Get my 1024 bit signature key from:
<http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>.
"The more I know, the more I realize how much I do not understand."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFHA7D6ckGmqURqb5MRAtF1AJ99S9ezV7VIiU0ZXBxBnz0zTxbaSgCfZEyb
3zxfHWSjI/TYcRCVX/FM8JU=
=5uFN
-----END PGP SIGNATURE-----
More information about the Novalug
mailing list