Determining Originator of TCP Connection?

Given a socket which is being used for an established TCP connection,
is there any way to determine from user space under Linux 2.4/2.6 which
side originated the connection? I'm working on some low-level code, so
all I get is the socket. The solution doesn't have to be portable, so I
could use, say, data from the tcp_info structure, but unfortunately
none of those fields seem to indicate the originator.

Thanks!

G

gg-(E-Mail Removed) wrote:
> Given a socket which is being used for an established TCP connection,
> is there any way to determine from user space under Linux 2.4/2.6 which
> side originated the connection? I'm working on some low-level code, so
> all I get is the socket. The solution doesn't have to be portable, so I
> could use, say, data from the tcp_info structure, but unfortunately
> none of those fields seem to indicate the originator.
>
> Thanks!
>
> G
>

You may be able to infer it from the port numbers. The originator
always calls from port numbers above 1024. And you may happen to
know which port the server is listening on. Otherwise, I think
you are out of luck - an open TCP connection is symmetrical.

Steve

Steve Horsley <(E-Mail Removed)> said:
>gg-(E-Mail Removed) wrote:
>> Given a socket which is being used for an established TCP connection,
>> is there any way to determine from user space under Linux 2.4/2.6 which
>> side originated the connection? I'm working on some low-level code, so
>> all I get is the socket. The solution doesn't have to be portable, so I
>> could use, say, data from the tcp_info structure, but unfortunately
>> none of those fields seem to indicate the originator.
>>
>> Thanks!
>>
>> G
>>
>
>You may be able to infer it from the port numbers. The originator
>always calls from port numbers above 1024.

No, not always. It is possible for the originating application to
bind to a given socket number before connecting. This isn't often
used (any more), but was favored by some programs (the r* things,
as far as I recall, did behave like this).

>And you may happen to know which port the server is listening on.

This is the other possibility.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

On Wed, 18 May 2005 18:48:42 +0000, Juha Laiho wrote:
> Steve Horsley <(E-Mail Removed)> said:

>>You may be able to infer it from the port numbers. The originator
>>always calls from port numbers above 1024.
>
> No, not always. It is possible for the originating application to
> bind to a given socket number before connecting. This isn't often
> used (any more),

NFS, NTP

> but was favored by some programs (the r* things,
> as far as I recall, did behave like this).

Indeed, ssh used to do that as well (if installed setuid.)

--
-Menno.

Hello!

Good idea! I was hoping to find a bit flag somewhere that I could
check, but failing that, this should handle 90% of the cases.

Thanks!

G