Wireshark · Wireshark-users: Re: [Wireshark-users] PID as column on Wireshark

[Martin Visser <martinvisser99@xxxxxxxxx>]

These are all good, and certainly in general terms, are the way to map TCP services (and hence protocols) to services. 

However if you want to do EXACTLY what the original poster wanted, this doesn't work. In Nicolas' example if you see a HTTP request coming in from say 1.2.3.4 on TCP port 12345 connecting to <server_host_IP_address> on port 80,  all you can say is that ONE of the 9 httpd processes received the request, but you can't say which one. This might be important if you are trying to say determine if you have a session persistence issue or the like.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Tue, Sep 29, 2009 at 6:51 PM, Nicolas BONNAND <nbonnand@xxxxxxx> wrote:

Hi,

On linux, try   lsof -i .
Example:

# lsof -i tcp:80
COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
httpd   3593   root    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6959 apache    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6960 apache    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6961 apache    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6962 apache    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6963 apache    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6964 apache    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6965 apache    3u  IPv6   8113       TCP *:http (LISTEN)
httpd   6966 apache    3u  IPv6   8113       TCP *:http (LISTEN)


Examples taken from lsof man:
---------------------------------------
-i6 - IPv6 only
TCP:25 - TCP and port 25
@1.2.3.4 - Internet IPv4 host address 1.2.3.4
@[3ffe:1ebc::1]:1234 - Internet IPv6 host address 3ffe:1ebc::1, port 1234
UDP:who - UDP who service port
TCP@xxxxxxxxx:513 - TCP, port 513 and host name lsof.itap
tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10, service name smtp, port
99, host name foo
tcp@bar:smtp-nameserver - TCP, ports smtp through nameserver, host bar
:time - either TCP or UDP time service port

Regards

Nicolas

***********************************************************************************
This e-mail is confidential, the property of NDS Ltd and intended for the addressee only.  Any dissemination, copying or distribution of this message or any attachments by anyone other than the intended recipient is strictly prohibited.  If you have received this message in error, please immediately notify the postmaster@xxxxxxx and destroy the original message.  Messages sent to and from NDS may be monitored.  NDS cannot guarantee any message delivery method is secure or error-free.  Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.  We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.  You should carry out your own virus checks before opening any attachment.  Any views or opinions presented are solely those of the author and do not necessarily represent those of NDS.

To protect the environment please do not print this e-mail unless necessary.

NDS Limited Registered office: One Heathrow Boulevard, 286 Bath Road, West Drayton, Middlesex, UB7 0DQ, United Kingdom. A company registered in England and Wales  Registered no. 3080780   VAT no. GB 603 8808 40-00
***********************************************************************************

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe