We have an application that sends some data over the TCP/IP network. We don't know which process that would be, but we want to target it. All we know is the following nftables log:
kernel: * OUTPUT * IN= OUT=bond0 SRC=192.168.0.135 DST=104.81.106.31 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=39568 DF PROTO=TCP SPT=56784 DPT=443 SEQ=3504435004
ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
(020405B40402080A03AC71A60000000001030309) UID=1000 GID=1000
The process also exits after it sends the packet, which happens really fast. How can we find out the PID/name/path of the process?
wget, but in this case I knew what it was, but let's pretend we don't know that, and we want to find out what application that can be, so if in the future some app would get logged bynftables, we would know how to target it. – Mikhail Morfikov Feb 06 '19 at 09:52forkstatin debian which is kind of a (quite unsatisfactory) sample program using the proc connector. – Feb 06 '19 at 10:36forkstatcan do the job, so canlastcomm --debug $USER, I think this will be sufficient for my needs. I leave the question open, maybe someone knows some better/automated way to do this. – Mikhail Morfikov Feb 06 '19 at 10:50auditdoption is the best one. – Mikhail Morfikov Feb 07 '19 at 17:55