Viewable by the world

Looks like Apple has allowed applications (such as iTunes) to be excluded from Dtrace probes:

http://blogs.sun.com/ahl/entry/mac_os_x_and_the

Example: Using Dtrace to isolate UDP traffic

I was seeing outbound UDP broadcasts, but wasn't sure what process was generating the traffic. Saw the traffic in my firewall log which I leave running:

Jan 29 14:25:07 zaibatsu Firewall\[59\]:  29000 Deny UDP 128.3.9.247:17500 128.3.9.255:17500 out via en0
Jan 29 14:25:37 zaibatsu Firewall\[59\]:  29000 Deny UDP 128.3.9.247:17500 128.3.9.255:17500 out via en0

So what process was broadcasting UDP on port 17500 every 30 seconds?

I waiting about 20 seconds after I saw an entry in the firewall log, fired up this Dtrace rule, and then when I saw the packet hit the firewall log, I did CTRL-C. 

[zaibatsu:tmp]$ sudo dtrace -n 'fbt:mach_kernel:udp_*:entry { @num[pid,execname,probename] = count(); }'
dtrace: description 'fbt:mach_kernel:udp_*:entry ' matched 12 probes
^C
    15910  iChatAgent                                          entry                                                            20
     1277  Dropbox                                             entry                                                            38
        0  kernel_task                                         entry                                                           153

So that gives me the likely candidates, including a PID list if I wanted to narrow down the search. But since I know what ports iChat talks on, I was pretty sure it was Dropbox. I turned off Dropbox and sure enough, the outbound probes stopped.

  • No labels