How I can identify which process is making UDP traffic on Linux?

by

Linux auditing can help. It will at least locate users and processes making datagram network connections. UDP packets are datagrams.

First, install the auditd framework on your platform and ensure that auditctl -l returns something, even if it says that no rules are defined.

Then, add a rule to watch the system call socket() and tag it for easy finding later (-k). I need to assume that you are on a 64-bit architecture, but you can substitute b32 in place of the b64 if you aren’t.

auditctl -a exit,always -F arch=b64 -F a0=2 -F a1\&=2 -S socket -k SOCKET

You have to pick through man pages and header files to build this, but what it captures is essentially this system call: socket(PF_INET, SOCK_DGRAM|X, Y), where the third parameter is unspecified but frequently zero. PF_INET is 2 and SOCK_DGRAM is 2. TCP connections would use SOCK_STREAM which would set a1=1. (SOCK_DGRAM in the second parameter may be ORed with SOCK_NONBLOCK or SOCK_CLOEXEC, hence the &= comparison.) The -k SOCKET is our keyword we want to use when searching audit trails later. It can be anything, but I like to keep it simple.

Let a few moments go by and review the audit trails. Optionally, you could force a couple of packets by pinging a host out on the net, which will cause a DNS lookup to occur, which uses UDP, which should trip our audit alert.

ausearch -i -ts today -k SOCKET

And output similar to the section below will appear. I’m abbreviating it to highlight the important parts

type=SYSCALL ... arch=x86_64 syscall=socket success=yes exit=1 a0=2 a1=2 ... pid=14510 ... auid=zlagtime uid=zlagtime ... euid=zlagtime ... comm=ping exe=/usr/bin/ping key=SOCKET

In the above output, we can see that the ping command caused the socket to be opened. I could then run strace -p 14510 on the process, if it was still running. The ppid (parent process ID) is also listed in case it is a script that spawns the problem child a lot.

Now, if you have a lot of UDP traffic, this isn’t going to be good enough and you’ll have to resort to OProfile or SystemTap, both of which are currently beyond my expertise.

This should help narrow things down in the general case.

When you are done, remove the audit rule by using the same line you used to create it, only substitute -a with -d.

auditctl -d exit,always -F arch=b64 -F a0=2 -F a1\&=2 -S socket -k SOCKET

Related Contents:

  1. How can I measure the actual memory usage of an application or process?
  2. What killed my process and why?
  3. What’s the best way to send a signal to all members of a process group?
  4. How to get the start time of a long-running Linux process?
  5. How to prevent a background process from being stopped after closing SSH client in Linux
  6. Threads vs Processes in Linux [closed]
  7. The difference between fork(), vfork(), exec() and clone()
  8. Get exit code of a background process
  9. How do I get the path of a process in Unix / Linux
  10. How to get child process from parent process
  11. dump conf from running nginx process
  12. Linux Process States
  13. top -c command in linux to filter processes listed based on processname
  14. Environment variables of a running process on Unix?
  15. Keeping a linux process running after I logout
  16. How to get pid of just started process
  17. How to sort ps output by process start time?
  18. Testing UDP port connectivity
  19. Dump a linux process’s memory to file
  20. How to get pgrep to display full process info
  21. Linux – How do I see when a process started?
  22. Set max file limit on a running process
  23. If I launch a background process and then log out, will it continue to run?
  24. Linux/Debian – What does ‘pee’ in moreutils do?
  25. Linux: How to measure daily/montly network traffic?
  26. Do background processes get a SIGHUP when logging off?
  27. Iptables: “-p udp –state ESTABLISHED”
  28. How do I start a process in suspended state under Linux?
  29. How do you kill a process tree in linux? [closed]
  30. Sockets found by lsof but not by netstat
  31. How do I log CPU usage per process?
  32. Putting a process in the background without stopping it – (ctrl+z)? [closed]
  33. Best way to kill Zombie and D state processes in linux
  34. How do I kill processes older than “t”?
  35. Determine process using a port, without sudo
  36. find command from PID
  37. What’s a proper way of checking if a PID is running?
  38. How to exit all supervisor processes if one exited with 0 result
  39. Does anyone know a simple way to monitor root process spawn
  40. How do I get the number of (currently) established TCP connections for a specific port?
  41. Meaning of killall -0
  42. How to detect a hidden process in linux?
  43. How to relaunch an executable if it dies
  44. How to list all requests to udp sockets?
  45. Difference between UNIX domain STREAM and DATAGRAM sockets?
  46. Start script after another one (already running) finishes
  47. Linux / Bash, using ps -o to get process by specific name?
  48. Linux free shows high memory usage but top does not
  49. Maximum number of processes in linux [closed]
  50. Linux: process into a service

Leave a Comment