Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

find the PID doing DNS queries?



On Tue, Mar 03, 2009 at 10:37:30AM -0800, Dan Kressin wrote:
> --- On Tue, 3/3/09, Ben Eisenbraun <bene-Gk2boCrsRs1AfugRpC6u6w at public.gmane.org> wrote:
> > > Is there any way to determine the PID of the process(es) that are doing
> > > the DNS queries?
> > 
> > SystemTap?
> > 
> > http://sourceware.org/systemtap/examples/keyword-index.html#NETWORK
> 
> Looks neat, but seems to require a 2.6 kernel.  Mine are 2.4 (RHEL3)  :(

Yuck.  :-/

iptables has a module that supports blocking/logging network traffic 
from various owners:

http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.3

"This module attempts to match various characteristics of the packet creator,
for locally-generated packets. It is only valid in the OUTPUT chain, and even
then some packets (such as ICMP ping responses) may have no owner, and hence
never match.

--pid-owner processid
  Matches if the packet was created by a process with the given process id."

That option plus process accounting can probably lead you to it.

-ben

--
work is the curse of the drinking class.                   <oscar wilde>






BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org