A few tips for network troubleshooting

Recently, a person told me that he observed huge amount of certain network traffic (NIS) generated by a bunch of client machines and he would like to track down the processes that are generating such unwanted traffic. Here are some tips for identify such suspect:

Assuming that the source and destination IP/host names are known, you can use the following command to figure out the port numbers of the traffic:
snoop -d -V

For Linux, use tcpdump.

Once you have the port numbers, then you can run the following command to identify the processes that are opening these port numbers:
lsof -i |less

Then use “/” to search for the port numbers. Alternatively, you can pipe to grep use that to search the port number.

For the question that was raised to me, the person also told me that he specified “protocol file” in /etc/nsswitch.conf, so he wasn’t expect the type of network traffic he observed. To get some insights on which process might be the suspect for ignoring such configuration, you can run the following Dtrace to identify which process is opening /etc/nsswitch.conf:
dtrace -n 'syscall::open*:entry { printf("%s %d %s",execname,curpsinfo->pr_pid, copyinstr(arg0)); }'

Special thanks to Prashant S. and Mayur S., for the tips.

Advertisements

One thought on “A few tips for network troubleshooting

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s