On the server, install tshark:
sudo apt install tshark
Run a trace on outbound https/443 connections:
sudo tshark -i any -f "tcp port 443" -Y "tls.handshake.extensions_server_name" -T fields -e ip.src -e tls.handshake.extensions_server_name
See the 10.x.x.x IP, and correlate that with the address ifconfig. It will be 1 IP off (2 per subnet).
10.169.0.29 serv1.***.com 10.169.0.29 ***.ru 10.169.0.29 ***.ru
veth2915: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.169.0.28 netmask 255.255.255.254 broadcast 0.0.0.0Run this script in root, using the veth???? from the ifconfig to see which process is using it:
VETH="veth????"
VETH_INDEX=$(cat /sys/class/net/$VETH/ifindex)
echo "Searching native Linux namespaces for $VETH (Index: $VETH_INDEX)..."
for pid in $(ls /proc | grep -E '^[0-9]+$'); do
# Check if the process's network namespace contains the linked peer interface
if sudo nsenter -t "$pid" -n ip link 2>/dev/null | grep -q "@if$VETH_INDEX"; then
echo "------------------------------------------------"
echo "Found it! $VETH belongs to Process ID (PID): $pid"
echo "Process details:"
sudo ps -p "$pid" -o user,pid,comm,args
echo "------------------------------------------------"
break
fi
doneWas this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article