-
-
Save aduquet/e1af6113eee3bba6a4463eff1cd6d363 to your computer and use it in GitHub Desktop.
LSOF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sh-3.2# lsof -i4 | |
In the COMMAND column is the program that is creating the session (connection). The TYPE column shows whether it is an IPv4 or IPv6 connection. NODE column shows the used transport layer protocol (TCP/UDP), while the last column shows the SRC-IP:PORT -> DST-IP:PORT information. | |
I cleaned up the output with some useful linux utilities: | |
sh-3.2# lsof -nP -i4 | grep -v "localhost\|*\|127.0.0.1" | awk '{printf ("%10s\t%3s\t%s\n", $1, $8, $9)}’ | |
COMMAND NODE NAME | |
apsd TCP 10.140.59.187:61720->17.252.252.86:5223 | |
apsd TCP 10.140.59.187:61720->17.252.252.86:5223 | |
Dropbox TCP 10.140.59.187:64683->162.125.33.7:443 | |
Dropbox TCP 10.140.59.187:64220->162.125.34.129:443 | |
Dropbox TCP 10.140.59.187:64535->52.7.182.237:443 | |
Dropbox TCP 192.168.1.104:49252->162.125.83.3:443 | |
Dropbox TCP 10.140.59.187:64513->162.125.83.3:443 | |
Bitcoin TCP 10.140.59.187:64841->104.20.81.236:443 | |
Google TCP 10.140.59.187:62462->169.44.99.100:443 | |
Google TCP 10.140.59.187:62235->169.54.206.44:443 | |
To create labels, one could run the command (as sudo) in a regular time intervals and then match the application information (label) from the LSOF outputs to the flow records in the flow cache. The matching could be done based on the 5-tuple (where possible). | |
This could be one simple way to collect dataset on a local machine for reliable ground truth experiments/evaluations. | |
For more information about LSOF I recommend these sites: | |
https://danielmiessler.com/study/lsof/ | |
https://www.netadmintools.com/html/lsof.man.html | |
https://www.thegeekstuff.com/2012/08/lsof-command-example |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment