I'm trying to figure out how one would go about determining which application on my Linux box is sending a particular DNS query to my Bind server. I've been toying with the following command:
How can I get this to show me the actual application (port and possibly PID)?
asked 18 Oct '13, 08:41
With normal packet captures there is no way of identifying the application or PID from the packets, because all you can see is what port the packet was sent from.
Otherwise you could try to use netstat on the box that does the name resolution and match it to the port numbers the DNS query uses, but since it is a UDP communication the port is open and closed almost instantly - so chances to do the netstat just in that millisecond where it is open is going to be like trying to win the lottery.
answered 18 Oct '13, 08:53
First install systemtap
Then, if you kernel supports CONFIG_UTRACE, you can run the following script
Please replace the path of libc with the one on your system!!
answered 21 Oct ‘13, 03:45
Kurt Knochner ♦