Connections shows up in tcpdump but cannot not in auditd or ss

Question

I ran tcpdump on a node which I can see many outbound TCP connections to a specific host (inside my network) on a specific port (8086). I'd like to know which process is making those connections.

I used:

while true; do ss -ntap '{ dport :8086 }'; sleep 0.1; done

however, I don't see anything show up even when tcpdump captured outgoing requests to that port.

I tried using auditd to capture them at the kernel level, as I thought ss may not be capturing these small requests.

I used: auditctl -A exit,always -F arch=x86_64 -S connect -S sendmsg -S sendto -k send and used ausearch -k send -i to look for these requests, but again, no avail.

I'm wondering how could it possible that TCP connections are made to an external host while not captured by auditd?

Thanks in advance!

Answer 1

1. The original destination address and destination port can be other, not tcp/8086, but with DNAT iptables rule in nat/OUTPUT it is rewritten to other address and other port. In the tcpdump capture you see packets after iptables translation.

2. It can be kernel module, not userspace application. In this case I'm not sure, what auditd can show anything.

3. It also can be raw socket, when packets are constructed in application. I think in this case you can list raw sockets with ss --raw command.

4. It can be other network namespace, not main.

5. This traffic can be forwarded, not local-originated. In this case ss and auditd show nothing.