curious connection and how to link PID to port used

[cosmoxl]

Proto Source Address Destination Address State
tcp 10.201.9.44:41837 184.28.188.137:80 ESTABLISHED

I'm consistently seeing this connection made, seen by using netstat-nat -nL

This is the router itself making the connection to an akamai server. I'm hoping somebody knows what this is for. It's quite disconcerting to think that the router is phoning "home" or something. Is it only a connection to TrendMicro?

Along these lines, how would I, with entware installed, find what process is creating that connection?

 

[mstombs]

Are you sure it is from the router, not just nat translated by the router?
If so you might be able to find the real source device by looking in the connection tracking table

cat /proc/net/nf_conntrack | grep 184.28.188.137

 

[cosmoxl]

Thanks. The command netstat-nat -nL shows connections to NAT, not SNAT or DNAT. In fact, 99% of the connections shown in this list are from my computer to the router for the web GUI.

Looking at the connection tracking table I found:

ipv4     2 tcp      6 359755 ESTABLISHED src=10.201.9.44 dst=184.28.188.137 sport=41837 dport=80 [UNREPLIED] src=184.28.188.137 dst=10.201.9.44 sport=80 dport=41837 mark=1 use=2

What is the real source device from looking at this?

 

[mstombs]

sorry that table is clearly the same info as netstat and better presented in the asuswrt web gui. So if the src address is your router maybe your suspicions confirmed it is the router phoning home?

 

[cosmoxl]

thanks again. Yes, I'd like to hear from others on what this is and if they're having the same connection made.

 

[RMerlin]

Does you router really have such a weird IP as 10.201.9.44?

 

[mstombs]

good point 10.x.x.x is a local private IP address, not internet routable

 

[cosmoxl]

Does you router really have such a weird IP as 10.201.9.44?

that is my internal IP from a VPN provider. the router made the connection while connected to that VPN.

what concerned me about this connection was that it seemed to be permanent. however, further testing shows that the connection is not shown in netstat-nat -L while connected to other VPN or when not connected to any VPN. but, it's still shown in the conntrack table.

I don't know what it all means.

 

[RMerlin]

that is my internal IP from a VPN provider. the router made the connection while connected to that VPN.

what concerned me about this connection was that it seemed to be permanent. however, further testing shows that the connection is not shown in netstat-nat -L while connected to other VPN or when not connected to any VPN. but, it's still shown in the conntrack table.

I don't know what it all means.

In that case the connection can come from any client on your LAN. You are using a VPN tunnel, so that means the traffic gets routed through that tunnel. I would recommend checking your clients to determine which one is connecting to that web server (port 80 is a website).