~chuck/blog

Being a Linux user, I am quite accustomed to the netstat flags that I use most often (plant, or sometimes tupac). I recently acquired a MacBook Pro, and found the netstat flags quite different.

clstearns@olly:~$ netstat -ntpl
netstat: l: unknown or uninstrumented protocol
clstearns@olly:~$ netstat -ntl | wc -l
221

clstearns@eli:~$ netstat -ntl | wc -l
6

How annoying it is, having to change one’s habits.

Rather than learning the new flags, I pulled out my trusty lsof:

$ lsof -i tcp:22
COMMAND  PID      USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
ssh     8383 clstearns    3u  IPv4 0×060b0334      0t0  TCP olly.ozymo.com:56829->mail.ozymo.com:ssh (ESTABLISHED)

Using lsof, I can see in the NAME field I can see what kind of connections I have open.

According to the lsof man page, the -i flag takes an option [i] specified as an Internet address. From the man page:

An Internet address is specified in the form (Items in square brackets are optional.):

[46][protocol][@hostname|hostaddr][:service|port]

where:

46 specifies the IP version, IPv4 or IPv6 that applies to the following address. ‘6′ may be be specified only if the UNIX dialect supports IPv6.  If neither ‘4′ nor ‘6′ is specified, the following address applies to all IP versions.

protocol is a protocol name – TCP, UDP

hostname is an Internet host name.  Unless a specific IP version is specified, open
network files associated with host names of all versions will be selected.

hostaddr is a numeric Internet IPv4 address in dot form; or an IPv6 numeric address in
colon form, enclosed in brackets, if the UNIX dialect supports IPv6.  When an IP version is selected, only its numeric addresses may be specified.

service is an /etc/services name – e.g., smtp – or a list of them.

port is a port number, or a list of them.

At  least  one  address  component  -  4, 6, protocol, ,IR hostname , hostaddr, or service – must be supplied. These addresses can get hairy, according to this example, which means TCP, ports 1 through 10, service name smtp, port 99, host name foo:

tcp@foo:1-10,smtp,99

lsof allows me to gain the information I need pertaining to my network connections, and when combined with some of the simpler options for MacOS’s netstat version (Mach-O universal binary with 3 architectures; it’s also the BSD4.2 version, whereas my Ubuntu box reports that the installed netstat command version 1.42 is from the net-tools package) it makes for a very handy tool.

Thanks to Greg and the man for the information on lsof.

/cs

Check this out:

$ doexec yes lolbutts > /dev/null &
$ ps auxww | grep lolbutts
500      28962 96.8  0.2  58908   544 pts/1    R    11:00   0:06 lolbutts

OK, so now here this:

$ doexec /tmp/udp.pl /usr/sbin/httpd &
$ ps auxww | grep httpd
apache   27601  0.0 12.9 264324 34016 ?        S    07:44   0:08 /usr/sbin/httpd
apache   27887  0.0 12.6 265956 33264 ?        S    08:42   0:06 /usr/sbin/httpd
apache   28103  0.0 11.2 257932 29452 ?        S    09:24   0:03 /usr/sbin/httpd
apache   28108  0.0 11.8 262884 31040 ?        S    09:24   0:04 /usr/sbin/httpd
apache   28580  0.1 11.0 257296 28948 ?        S    10:56   0:01 /usr/sbin/httpd
apache   29015 90.8  0.2  58908   548 pts/1    R    11:07   0:04 /usr/sbin/httpd

Can you pick which one isn’t really Apache?

Thanks to Kale for pointing out this nifty utility.

/cs

I do simple DNS checks on the hosts that attempt to send mail to my server.

Wal-Mart fails:

Jan 4 23:07:18 oz postfix/smtpd[25560]: NOQUEUE: reject: RCPT from mail1.walmart.com[161.170.244.39]: 450 4.7.1 < ndc-mta1.walmart.com >: Helo command rejected: Host not found; from=< batch@ndc-fulmailapp1.walmart.com > to=< addy@ozymo.com > proto=ESMTP helo=< ndc-mta1.walmart.com >

/cs

UPDATE: I’ve been asked to provide some background on this. So here goes: My wife requested her password for her Wal-Mart online account, and didn’t receive any email. Looking at the logs, I found the above failure. I have my server configured to reject mail from servers whose hostname doesn’t map correctly via forward DNS, and thus, Wal-Mart failed. /cs