Yes, I'm tcdupming pflog and ALL my dropped packets reference some PID 6504 that is not found among the processes that are running. I was actually not fishing for PIDs, I just saw the PID referenced in the standard tcpdump output. For forensics I just want to find the link between PID referenced in tcpdump to the process, and I cannot, and I believe I should be able to for security.
On Tue, Mar 5, 2024 at 7:12 PM Janne Johansson <icepic...@gmail.com> wrote: > Den tis 5 mars 2024 kl 14:35 skrev ofthecentury <ofthecent...@gmail.com>: > > > > Hi, I'm on a fresh install of OpenBSD 7.4. > > I am watching output of tcpdump and > > seeing some drops that all reference > > UID 0, pid 6504. I cannot find that PID > > among running processes. Does anyone > > know what is that process and why it's > > not running but tcpdump references it? > > OpenBSD has random pids, so unless you ask about pid 0 or 1, noone can > divine what process had pid 6504 on your system at that time. > > As for this report, it looks like you are tcpdumping pflog in order to > see "drops" with pids, but since you didn't mention what you ran, it's > hard to tell. Nor did you state how you looked for pids, perhaps not > using all the possible options? > > > -- > May the most significant bit of your life be positive. >
