bmacinre@watcgl.uwaterloo.ca (Blair MacIntyre) (11/13/90)
If a specific host is connected to my machine, doing a finger, running
netstat gives the following lines in the output (something similar):
(I'm on watcgl, someone on seward.tn.cornell.edu is fingering me)
tcp 0 0 watcgl.finger SEWARD.TN.CORNEL.2997 ESTABLISHED
tcp 0 0 watcgl.4788 SEWARD.TN.CORNEL.finge ESTABLISHED
To get this info, I have to run netstat (obviously), but this is
sloooow.
What I really want is to figure out if someone is currently doing a
remote finger on my machine AND where they are fingering from. Is there
an easier way to do this? I can get the fingerd process from ps but
don't see how to get where the socket connection that created it is
comming from. What would be ideal is a flag for netstat that looks for
specific sorts of inetd connections and only prints out their sockets.
Anyway, I'm not really hopeful on this, but I would greatly appreciate
any help or hints or pointers as to which man page to RTFM! :-)
--
Blair MacIntyre, Computer Graphics Lab
Dept. of Computer Science, University of Waterloo, Waterloo, ON, Canada, N2L3G1
{bmacinre@watcgl|bmacintyre@{violet|watdragon}}.{waterloo.edu|uwaterloo.ca}wswietse@svbs01.bs.win.tue.nl (Wietse Venema) (11/20/90)
bmacinre@watcgl.uwaterloo.ca (Blair MacIntyre) writes: >What I really want is to figure out if someone is currently doing a >remote finger on my machine AND where they are fingering from. Is there >an easier way to do this? I can get the fingerd process from ps but >don't see how to get where the socket connection that created it is >comming from. What would be ideal is a flag for netstat that looks for >specific sorts of inetd connections and only prints out their sockets. If you have sufficient privilege, you can put a trivial program in front of the fingerd (tar archive in ftp.win.tue.nl:/pub/logdaemon.Z, file tcpd.c). This program uses the syslog(3) facility to report the use of connection-oriented services such as telnet, rlogin, rsh, exec. By the way, if you are worried about the use of the finger service, you may also want to keep track of requests to the systat service that usually is enabled on Ultrix systems (systat just pipes the output from the who(1) command to the net). The miscd.c file in the above-mentioned tar archive takes care of monitoring systat.
mogul@wrl.dec.com (Jeffrey Mogul) (11/20/90)
In article <1990Nov12.192712.23544@watcgl.waterloo.edu> bmacinre@watcgl.uwaterloo.ca (Blair MacIntyre) writes: >If a specific host is connected to my machine, doing a finger, running >netstat gives the following lines in the output (something similar): >(I'm on watcgl, someone on seward.tn.cornell.edu is fingering me) > >tcp 0 0 watcgl.finger SEWARD.TN.CORNEL.2997 ESTABLISHED >tcp 0 0 watcgl.4788 SEWARD.TN.CORNEL.finge ESTABLISHED > >To get this info, I have to run netstat (obviously), but this is >sloooow. Often "netstat" runs slow because of the cost of translating IP host addresses to names, via the domain name system. This is especially true if the host names are from "far away", since it means you might have to contact a foreign nameserver for each one. You can get around this by giving the "-n" flag to netstat. I ran netstat on gatekeeper.dec.com, which has a lot of non-local connections, and timed it: with -n: 0.6u 0.3s 0:02 46% 89+173k 23+1io 0pf+0 without -n: 14.7u 1.2s 0:56 28% 91+233k 33+2io 0pf+0w Kind of dramatic, no? Of course, you won't know the names of the hosts or services, but you can look them up afterwards when you find the particular line that interests you. This is even more useful with "netstat -r", which tries to look up lots of network names and usually fails. On gatekeeper.dec.com: with -n: 1.7u 1.2s 0:08 36% 91+184k 0+1io 0pf+0w without -n: I got bored and gave up after more than 8 minutes. This is not a bug in the software, it's inherent in the distributed way that the Internet's Domain Name System works. -Jeff
bmacinre@watcgl.uwaterloo.ca (Blair MacIntyre) (11/20/90)
Wietse> bmacinre@watcgl.uwaterloo.ca (Blair MacIntyre) writes: >What I really want is to figure out if someone is currently doing a >remote finger on my machine AND where they are fingering from. Wietse> If you have sufficient privilege, you can put a trivial program in Wietse> front of the fingerd (tar archive in ftp.win.tue.nl:/pub/logdaemon.Z, Wietse> file tcpd.c). This program uses the syslog(3) facility to report the Wietse> use of connection-oriented services such as telnet, rlogin, rsh, exec. Oh, I'm not interested in keeping a log. This request falls under the 'cute-but-pointless' things to do section. You see, every time someone fingers me, a program runs and creates an up-to-date .plan file. I'd like to know where the finger is coming from in order to further embellish the info. Ideally, I'd like to know who is reading the .plan, so I could figure out who is fingering me locally, or decide that it's remote and then use figure which finger connection they are coming through. I don't think it's possible ... Turns out 'netstat -n' is fast enough, and actually better for this purpose than 'netstat' alone. Thanks to the people who set me mail suggesting this! -- Blair MacIntyre, Computer Graphics Lab Dept. of Computer Science, University of Waterloo, Waterloo, ON, Canada, N2L3G1 {bmacinre@watcgl|bmacintyre@{violet|watdragon}}.{waterloo.edu|uwaterloo.ca}