Identify process sending ldap requests to old DNS server

badoshi · July 25, 2014, 11:50am

Hi,

I have a Solaris 10 system, which appears to be sending out LDAP queries to a server that is due to be decomissioned.

Is there a way to identify which process is sending out these queries? The problem is that the local port constantly changes, and the connections do not stay open long enough to query them using netstat or lsof.

I can see the outbound traffic in snoop:

solServer -> decomServer LDAP C port=39959
solServer -> decomServer LDAP C port=39959

and also in netstat:

solServer.38530   decomServer.ldap 65420      0 49640      0 TIME_WAIT
solServer.38215   decomServer.ldap 65420      0 49640      0 TIME_WAIT

But cant think of a way to identify what process is sending this out. I've checked resolv.conf & /etc/nsswitch.conf and the decom server is not listed anywhere.

I have no idea where the information for this decomServer is coming from, or which process is sending. Is there a way I can find this out?

Many thanks

jlliagre · July 25, 2014, 12:31pm

Dtrace looks to be the right tool for investigating these connections.

Start with soconnect

Scott · July 25, 2014, 1:44pm

You might also get a clue from the BIND and SRCH entries in the LDAP log file.

badoshi · July 28, 2014, 7:32am

Thank you for the pointer. I've went down the dtrace path, and found a script that did exactly what i needed:

conntrack DTrace script: connections by process, user and port on Solaris/Opensolaris | Core Networks Techno Blog

produces real-time output like the following, where the last column is the destination:

      adclient 19607     0    global     45708        88  TCP 10.x.x.x
      adclient 19607     0    global     45707       389  TCP 10.x.x.x
      adclient 19607     0    global     45707       389  TCP 10.x.x.x

Thanks for your assistance, dtrace is something that I should learn how to use, it looks very handy!