Strange IP address showing up with OS X ssh

Posted by user50799 on Server Fault See other posts from Server Fault or by user50799
Published on 2010-08-10T23:02:21Z Indexed on 2010/12/21 11:55 UTC
Read the original article Hit count: 232

Filed under:
|
|

I was futzing around with DTrace on Mac OS X and found the following script that prints out information about connections being established:

$ cat script.d

syscall::connect:entry
{
printf("execname: %s\n", execname);
printf("pid: %d\n", pid);
printf("sockfd: %d\n",arg0);

socks = (struct sockaddr*)copyin(arg1, arg2);

hport = (uint_t)socks->sa_data[0];
lport = (uint_t)socks->sa_data[1];
hport <<= 8; 
port = hport + lport; 
printf("Port number: %d\n", port); printf("IP address: %d.%d.%d.%d\n",
 socks->sa_data[2],
 socks->sa_data[3],
 socks->sa_data[4],
 socks->sa_data[5]);
printf("======\n");
}

I run it in one window:
$ sudo dtrace -s ./script.d

Then I ssh to another machine from another window. I get this output from my dtrace window:

CPU     ID                    FUNCTION:NAME
  0  18696                    connect:entry execname: ssh
pid: 5446
sockfd: 3
Port number: 22
IP address: 192.168.0.207
======

  0  18696                    connect:entry execname: ssh
pid: 5446
sockfd: 5
Port number: 12148
IP address: 109.112.47.108
======

^C

The first IP address I can explain (192.168.0.207), that's the machine I'm connecting to. But what's with the 109.112.47.108 machine? It doesn't show up in tcpdump nor netstat -an

Is there something with my dtrace code or my understanding of how the connect system call works?

© Server Fault or respective owner

Related posts about ssh

Related posts about macosx