Hi,

I noticed that on my solaris 8 server, netstat revealed some UDP ports are open that have no corresponding processes and are listed as "reserved" on IANA. When I reboot the server they go off but later after the server is up they are on. I do not see the ports in any startup scripts, they are not in /etc/inetd.conf, so I was wondering if I could use netcat in some way to try and find a process that might light-up if I send something to the port. I have tried to use "nemesis" to send packets to the port but I don't see anything.

Any suggestions would be helpful.

Well, since UDP is connectionless, you are going to have a heck of a time with traditional tools like that. My personal suggestion, is get wireshark, and set the filters to only deal with UDP, and only deal with the ports in question. Then run wireshark, and keep an eye on it.... when data is either sent to or received from the port, wireshark will show it to you, and I believe pretty much in all the layers of the OSI model (at least up to session and down to data-link). At the very least, this can help you see what information is being transmitted on these ports... which should help narrow down WHAT exactly you are dealing with.

Thank you for the information. I noticed when I rebooted one of the servers that has a number of the strange ports listed, the ports went off. Then sometime before the next morning when I checked again, they were on.

Can I leave wireshark on and have it post to a log that I can check from time to time to see if the ports are on and what turned it on? Is it very resource intensive becuase the server with alot of the ports on is a production server.

Thank you very much.

Christine

Yes, Yes you can. However, wireshark may use a lot of hard-drive space if you leave it running for a long time (and there is a lot of activity on those ports). See, each time a packet is sent or received wireshark records it... if you set filters, then you can tell it to only record say, UDP traffic, or specific port numbers, or only specific port numbers with UDP traffic, etc. So, you run the program, take the port numbers in question, and tell wireshark to filter out everything except UDP traffic on those specific ports. Then, whenever UDP data is sent or received on those ports.... wireshark will record it. So if these ports send data, say, every three minutes... and you go home, when you come back 8 hours later, you are probably going to have quite a large log file or memory consumption.... if it only sends data once an hour, then you won't have much used at all.

Thank you. I did some research and see it is/was ethereal. I have used that. I have tried to use lsof to see if it revealed anything but I don't get any output. ONe server has only one of the ports in a "bound" tcp state, so I would think lsof would produce something, but it doesn't.

Thank you for your help.

I would really like to see what turned those on? I don't have alot of services running and I've stopped alot of the rc2 startup scripts that I don't need.

I was hoping if I sent enough packets to the ports that maybe the top command might reveal something.

Any suggestions that way?

Well first, since this seems to be a timed thing... check cron. See what cron is up to. If that isn't much help, you could consider crufting up a quick script or app that uses sockets and binds to the given port numbers... then the program that is trying to connect to (ie open the ports) will crap on itself (Address already in use) and might help you to catch the output.... other than sniffing the packets, to catch the destination address, you're hands are pretty much tied.