Testing the ping on ubuntu 22.04:
Host A IPv6: 1111:1111:1111:1111:1111:1111:1111:1111
Host B IPv6: 2222:2222:2222:2222:2222:2222:2222:2222
Host A:
Now execute a ping from Host A with the following bash command:
root@host_a:~# ping -6 2222:2222:2222:2222:2222:2222:2222:2222
Host B:
The iptables dropped some packets and log it to the file:
Dec 7 18:21:52 host_b kernel: [ 988.996335] dropped output: IN= OUT=ens33 SRC=192.168.1.1 DST=192.168.2.1 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=52289 PROTO=UDP SPT=41151 DPT=53 LEN=63 UID=113 GID=118
Dec 7 18:21:52 host_b kernel: [ 988.998359] dropped output: IN= OUT=ens33 SRC=2222:2222:2222:2222:2222:2222:2222:2222 DST=1111:1111:1111:1111:1111:1111:1111:1111 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
Dec 7 18:21:53 host_b kernel: [ 990.001075] dropped output: IN= OUT=ens33 SRC=2222:2222:2222:2222:2222:2222:2222:2222 DST=1111:1111:1111:1111:1111:1111:1111:1111 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=136 CODE=0
From the first log line, there is a UID and GID info:
UID=113 GID=118
We can find the user by using this method:
root@host_b:~# cat /etc/passwd | grep 113
But for the 2nd and 3rd lines there is no any UID or GID in the log.
Question:
How to find out which program is sending out the following network packets?
PROTO=ICMPv6 TYPE=136 CODE=0
Note: Based on the iptables log, this "Unknown" program accepts incoming ICMPv6 packets and then send out outgoing ICMPv6 packets, but iptables can't log the UID and GID of that "Unknown" program when the packet is drooped by rule.
see Neighbour Discovery Protocol The blocked ICMP messages belong to the ipv6 Stack. Blocking them is not a good idea. The Stack in part of the kernel, no user process. There is no UID /GID of an user prosess.