At the begining of my post you ve got the logs generated by a script running tcpdump/netstat/ps in order to track outgoing connexions and owning process on the server
It looks like PMS is initiating these connexions using dynamic ports
Try to run a wireshark for a while on your PMS to track these 2 IPs, you should see it
I will post you the script aswell if you want to use it
Plex uses Cloudflare for DNS and so does ilovepdf . com. This means that any Ip address resolved for app.plex.tv will more than likely resolve to a Cloudflare owned IP address.
Here is a list of IP addresses used by Cloudflare IP Ranges
#!/bin/bash
LOG="/logs.txt"
LOCAL_IP="EXTERNAL_IP"
echo "[$(date '+%F %T')] Démarrage surveillance connexions sortantes depuis : IP ${LOCAL_IP}" >> "$LOG"
tcpdump -n -l -q 'ip and not dst port 443 and not (dst net 192.168.0.0/16) and tcp[tcpflags] & tcp-syn != 0' 2>/dev/null | while read -r line;
do
# Extrait src_ip, src_port, dst_ip, dst_port
if [[ "$line" =~ IP[[:space:]]([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.([0-9]+)[[:space:]]\>[[:space:]]([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.([0-9]+): ]]; then
SRC_IP="${BASH_REMATCH[1]}"
SRC_PORT="${BASH_REMATCH[2]}"
DST_IP="${BASH_REMATCH[3]}"
DST_PORT="${BASH_REMATCH[4]}"
# Ne conserver que les sorties venant de l'IP locale
[[ "$SRC_IP" == "$LOCAL_IP" ]] || continue
#Recuperation de la date
TS="$(date '+%F %T')"
# Cherche la ligne de netstat correspondant à local:port et récupère PID/nom
PROC=$(netstat -plant 2>/dev/null | awk -v ip="$SRC_IP" -v port="$SRC_PORT" '
$4 == ip":"port { print $7; exit }
')
if [[ -n "$PROC" && "$PROC" != "-" ]]; then
echo "[$TS] Connexion détectée: ${SRC_IP}:${SRC_PORT} -> ${DST_IP}:${DST_PORT}" >> "$LOG"
echo " -> Processus : ${PROC}" >> "$LOG"
# Extraire le PID (avant le /). netstat donne "PID/nom"
PID="${PROC%%/*}"
if [[ "$PID" =~ ^[0-9]+$ ]]; then
# Récupère la ligne de commande complète
CMD=$(ps -p "$PID" -o cmd= 2>/dev/null)
if [[ -n "$CMD" ]]; then
echo " -> Ligne de commande : ${CMD}" >> "$LOG"
fi
fi
echo "----" >> "$LOG"
fi
fi
done
No dns does not use port 80, that is the default for http traffic. But you computer does use DNS to find the IP address of where app.plex.tv is regardless of the port that is trying to communicate to.
In other words this is expected behavior and nothing to be alarmed about.
We have had a number of problems this past week due to the Amazon outage and Operations have changed a few things on the backend to make it more resilient.
I’m going to forward this to them and ask for information & assistance.
