Testing the ping on ubuntu 22.04:
Host A IPv6: 1111:1111:1111:1111:1111:1111:1111:1111
Host B IPv6: 2222:2222:2222:2222:2222:2222:2222:2222
Host A:
Now execute a ping from Host A with the following bash command:
root@host_a:~# ping -6 2222:2222:2222:2222:2222:2222:2222:2222
Host B:
The iptables dropped some packets and log it to the file:
Dec 7 18:21:52 host_b kernel: [ 988.996335] dropped output: IN=
OUT=ens33 SRC=192.168.1.1 DST=192.168.2.1 LEN=83 TOS=0x00 PREC=0x00
TTL=64 ID=52289 PROTO=UDP SPT=41151 DPT=53 LEN=63 UID=113 GID=118
Dec 7 18:21:52 host_b kernel: [ 988.998359] dropped output: IN=
OUT=ens33 SRC=2222:2222:2222:2222:2222:2222:2222:2222
DST=1111:1111:1111:1111:1111:1111:1111:1111 LEN=72 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
Dec 7 18:21:53 host_b kernel: [ 990.001075] dropped output: IN=
OUT=ens33 SRC=2222:2222:2222:2222:2222:2222:2222:2222
DST=1111:1111:1111:1111:1111:1111:1111:1111 LEN=72 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
From the first log line, there is a UID and GID info:
UID=113 GID=118
We can find the user by using this method:
root@host_b:~# cat /etc/passwd | grep 113
But for the 2nd and 3rd lines there is no any UID or GID in the log.
Question:
How to find out which program is sending out the following network packets?
PROTO=ICMPv6 TYPE=136 CODE=0
Note: Based on the iptables log, this "Unknown" program accepts incoming ICMPv6 packets and then send out outgoing ICMPv6 packets, but iptables can't log the UID and GID of that "Unknown" program when the packet is drooped by rule.
