关闭所有应用程序后,tcpdump 显示我的 Mac 偶尔会向少数 IP 发送数据包。它们是没有数据有效负载且具有不寻常的 TCP 序列号(如隐蔽通道)的数据包突发。有没有办法确定哪个进程从命令行或以编程方式发起这些数据包?
注意:我已经使用 ipfw 来过滤目标 IP,所以我不担心数据泄露。
问问题
2474 次
3 回答
3
我会很懒,只需安装Little Snitch(可免费试用);)
netstat但是,如果它是 TCP 连接,如果在发送可疑数据包期间或之后不久进行检查,您应该能够轻松找到罪魁祸首。
而且,如果您想变得真正花哨,请为自己编写一个内核扩展来满足您的需求。Apple 有一个可爱的指南,甚至是示例代码,可以满足您的需求。
于 2011-06-16T23:50:55.777 回答
2
Apple 对 tcpdump 进行了修改,因此它支持一些元数据选项,来自 Mac OS X tcpdump的手册页:
-k Control the display of packet metadata via an optional metadata_arg argument. This is useful when displaying packet saved in the pcap-ng file format
or with interfaces that support the PKTAP data link type.
By default, when the metadata_arg optional argument is not specified, any available packet metadata information is printed out.
The metadata_arg argument controls the display of specific packet metadata information using a flag word, where each character corresponds to a type
of packet metadata as follows:
I interface name (or interface ID)
N process name
P process ID
S service class
D direction
C comment
This is an Apple modification.
因此,当使用 -k N 运行 tcpdump 时,我们可以看到进程名称:
19:12:51.823518 pid Google Chrome.313 svc BK IP 192.168.100.191.49424 > 216.58.209.133.443: Flags [.], ack 74, win 4093, options [nop,nop,TS val 507317615 ecr 3185588461], length 0
19:12:51.823518 pid Google Chrome.313 svc BK IP 192.168.100.191.49424 > 216.58.209.133.443: Flags [.], ack 329, win 4088, options [nop,nop,TS val 507317615 ecr 3185588462], length 0
于 2016-02-28T18:17:09.743 回答
1
I had the same question, with one exception - my TCP traffic was on lo0 and it was not established, but some process was trying to connect to localhost and some port. My task was to identify who is trying to connect. Little Snitch was useless at that point.
But I found that nettop is pretty helpful. I found process in its output constantly changing TCP connection states SynSent/Fin/etc and it was what I was looking for.
于 2015-02-24T22:39:23.337 回答