SANS Digital Forensics and Incident Response Blog

Unix Network and System profiling

It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.

Netstat

Netstat lists all active connections as well as the ports where processes are listening for connections. The command, "netstat -p -a -inet" (or the equivalent on other UNIX'es) will print a listing of this information. Not all UNIX versions support the "netstat —p" option for netstat. In this case other tools may be used.

Lsof

The command, "lsof" allows the reviewer to list all open files where "An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, or a stream or network file".

LSOF is available from ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/lsof.tar.gz

Ps

The command, "ps" reports a snapshot of the current processes running on UNIX host. Some Examples from the "ps" man page of one UNIX system are listed below.

To see every process on the system using standard syntax:

  • ps -e
  • ps -ef
  • ps -eF
  • ps -ely

To see every process on the system using BSD syntax:

  • ps ax
  • ps axu

To print a process tree:

  • ps -ejH
  • ps axjf

To get info about threads:

  • ps -eLf
  • ps axms

To get security info:

  • ps -eo euser,ruser,suser,fuser,f,comm,label
  • ps axZ
  • ps -eM

To see every process running as root (real & effective ID) in user format:

  • ps -U root -u root u

To see every process with a user-defined format:

  • ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
  • ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
  • ps -eopid,tt,user,fname,tmout,f,wchan

Print only the process IDs of syslogd:

  • ps -C syslogd -o pid=

Print only the name of PID 42:

  • ps -p 42 -o comm=

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC and completed the GSE as well. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial lawand ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

1 Comments

Posted March 15, 2010 at 12:55 PM | Permalink | Reply

proneer

As far as i know, ''lsof' command not working to HP-UX. do you know alternate method''?