How to determine which process sends UDP packets periodically to an IP address?

Question

I tried looping with netstat and but the packets are small and not frequent so do not get caught (can still see them with tcpdump). Need to know which process sends those packets.

score 2 · Accepted Answer · answered Mar 27 '12 at 14:55

Check tcpdump for the source port number of the packets. Then run

sudo netstat -a -u -n --program

Look for the PID/Program name matching the source port number.

This assumes that the sending process is leaving its socket open between sends, which is what any normal program would do. If you are dealing a program that is deliberately trying to hide itself, that's whole different story.

score -1 · Answer 2 · answered Mar 21 '12 at 08:52

I guess it should be possible with QUEUE target in iptables. But you'd need to write an userspace application to "check" those packets (and this appication could help you to know which process sends those packets). Sorry, I haven't got more details.

How to determine which process sends UDP packets periodically to an IP address?

2 Answers2