tracing connections from a tor daemon to local process

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Generally, this is how connections can be associated with processes:

  $ netstat -atunp

  tcp  0 0  ESTABLISHED 2168/tor
  tcp  0 0   ESTABLISHED 4074/firefox
  tcp  0 0  TIME_WAIT   -
  tcp  0 0  ESTABLISHED 2168/tor
  tcp  0 0   ESTABLISHED 4074/thunderbird
  tcp  0 0  ESTABLISHED 3087/mirc

Notice that some apps are simply "tor".  How can the tor connections
be traced to the local application?

Suppose Snort reports an attack on port 51346.  Netstat and lsof shows:

  $ netstat -atunp | grep 51346
  tcp 0 586  ESTABLISHED 2168/tor        

  $ lsof | grep 51346
  tor  2168 debian-tor  20u  IPv4  10667  0t0  TCP  localhost:51346-> (ESTABLISHED)

Although some connections can be traced to a local application, this
particular case does not.  How can I find out which local process is
connecting to tor?

Re: tracing connections from a tor daemon to local process

Quoted text here. Click to load it

Use "lsof -p 2168" to see the other open files for this process. Look  
for pipes, Unix-domain sockets, and ptys that connect it to some other  

Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Site Timeline