Managing and keeping tabs of network traffic on Linux
netstat: dumb but it does the job
What if you want to find out which programs are communicating with hosts on the Internet? That’s netstat’s job.
Since netstat is a terminal program, I’m gonna open a terminal program to get the following screenshots. Do not worry — you can follow the examples alright, because (despite what Windows zealots think) the terminal does not bite. Trust me: I was bitten by a Rottweiler once (quite the scare!), but so far not ever by the terminal. Swear to God!
(No, the terminal in Linux is not as stupid as MS-DOS. In fact, MS-DOS got nothin’ on the Linux terminal. The Linux terminal can show you random fortune cookies — try pulling fortunes out of MS-DOS, bitch! And unlike MS-DOS, you don’t need to be a rocket scientist to type on the Linux console.)
rudd-o@karen:~$ netstat -tnp Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 190.10.133.30:57830 64.4.37.20:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:35859 207.46.107.27:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:33625 64.12.26.74:5190 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:55528 207.46.27.27:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:32943 205.134.246.207:143 ESTABLISHED6965/evolution tcp 0 0 190.10.133.30:45010 201.234.195.35:22 ESTABLISHED6291/ssh tcp 0 0 190.10.133.30:41794 207.46.26.111:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:39049 207.46.107.57:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:55288 64.4.36.21:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:58186 207.46.26.79:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:44143 203.174.86.130:22 ESTABLISHED4436/ssh tcp 0 0 190.10.133.30:50222 207.46.26.121:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:40477 207.46.27.34:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:50458 207.46.26.69:1863 ESTABLISHED20312/kopete tcp 0 0 127.0.0.1:37979 127.0.0.1:22 ESTABLISHED26792/nxssh tcp 0 0 190.10.133.30:42312 65.54.228.45:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:38203 85.17.40.227:80 ESTABLISHED12728/ktorrentQ0Chw tcp 0 0 190.10.133.30:38026 85.17.40.227:80 ESTABLISHED6482/ktorrentO6i7Ib tcp 0 0 190.10.133.30:36559 85.17.40.227:80 ESTABLISHED8756/ktorrentscWrEa tcp 0 0 190.10.133.30:33910 85.17.40.228:80 ESTABLISHED8745/ktorrentUEYsvc tcp 0 0 190.10.133.30:33679 85.17.40.227:80 ESTABLISHED11637/ktorrentEVzOe tcp 0 0 190.10.133.30:41446 205.134.246.207:22 ESTABLISHED30037/ssh tcp 0 0 190.10.133.30:34096 85.17.40.228:80 ESTABLISHED25019/ktorrentQwA3q tcp 0 0 190.10.133.30:34395 85.17.40.227:80 ESTABLISHED25495/ktorrentlqrhg tcp 0 0 190.10.133.30:33537 207.46.26.193:1863 ESTABLISHED20312/kopete tcp 0 0 192.168.3.1:48198 192.168.3.2:22 ESTABLISHED5922/ssh tcp 0 0 190.10.133.30:60241 216.239.51.125:5223 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:35334 207.46.26.171:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:56878 85.17.40.227:80 ESTABLISHED4060/ktorrentMT0VEb tcp 0 0 190.10.133.30:56819 85.17.40.227:80 ESTABLISHED4059/ktorrentuhNgxa tcp 0 0 190.10.133.30:56575 85.17.40.227:80 ESTABLISHED4051/ktorrentvWDA2b tcp 0 0 192.168.3.1:42163 192.168.3.2:4713 ESTABLISHED5733/amarokapp tcp 0 0 190.10.133.30:57884 205.134.246.207:22 ESTABLISHED8500/ssh tcp 0 0 190.10.133.30:51115 85.17.40.227:80 ESTABLISHED11635/ktorrent3bmrc tcp 0 0 190.10.133.30:34656 207.46.26.185:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:49335 65.54.228.32:1863 ESTABLISHED20312/kopete tcp 0 0 190.10.133.30:34686 205.134.246.207:80 TIME_WAIT - tcp 0 0 192.168.3.1:60960 192.168.3.2:22 ESTABLISHED29903/ssh tcp6 0 0 ::ffff:127.0.0.1:22 ::ffff:127.0.0.1:37979 ESTABLISHED26793/sshd: rudd-o
You can see netstat (invoked with the tnp arguments — TCP, show IP addresses, show programs) on that screenie, which comes up instantly after you’ve hit ENTER.
Sometimes it’s useful to see host names instead of just IP addresses — for that, you can use netstat -tp, removing the n argument. That will take a bit longer, but in the end will show something like this:
rudd-o@karen:~$ netstat -tp Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 30.cpe-190-10-133:35859 by1msg3145616.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:33625 64.12.26.74:aol ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:55528 by2msg2132816.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:32943 tobey.rudd-o.com:imap2 ESTABLISHED6965/evolution tcp 0 0 30.cpe-190-10-133:45010 lujor.com:ssh ESTABLISHED6291/ssh tcp 0 0 30.cpe-190-10-133:41794 by2msg1242016.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:39049 by1msg3245804.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:55288 by1msg4082108.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:58186 by2msg1161905.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:44143 node6501.gplhost.co:ssh ESTABLISHED4436/ssh tcp 0 0 30.cpe-190-10-133:50222 by2msg1262105.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:40477 by2msg2233102.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:50458 by2msg1141816.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 localhost:37979 localhost:ssh ESTABLISHED26792/nxssh tcp 0 0 30.cpe-190-10-133:42312 by1msg3082308.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:38203 85.17.40.227:www ESTABLISHED12728/ktorrentQ0Chw tcp 0 0 30.cpe-190-10-133:38026 85.17.40.227:www ESTABLISHED6482/ktorrentO6i7Ib tcp 0 0 30.cpe-190-10-133:36559 85.17.40.227:www ESTABLISHED8756/ktorrentscWrEa tcp 0 0 30.cpe-190-10-133:33910 85.17.40.228:www ESTABLISHED8745/ktorrentUEYsvc tcp 0 0 30.cpe-190-10-133:33679 85.17.40.227:www ESTABLISHED11637/ktorrentEVzOe tcp 0 0 30.cpe-190-10-133:41446 tobey.rudd-o.com:ssh ESTABLISHED30037/ssh tcp 0 0 30.cpe-190-10-133:34096 85.17.40.228:www ESTABLISHED25019/ktorrentQwA3q tcp 0 0 30.cpe-190-10-133:34395 85.17.40.227:www ESTABLISHED25495/ktorrentlqrhg tcp 0 0 30.cpe-190-10-133:33537 by2msg1104414.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:33537 by2msg1104414.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 karen:48198 gabriela:ssh ESTABLISHED5922/ssh tcp 0 0 30.cpe-190-10-133:60241 kc-in-f125.google.:5223 ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:35334 by2msg1282513.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:56878 85.17.40.227:www ESTABLISHED4060/ktorrentMT0VEb tcp 0 0 30.cpe-190-10-133:56819 85.17.40.227:www ESTABLISHED4059/ktorrentuhNgxa tcp 0 0 30.cpe-190-10-133:56575 85.17.40.227:www ESTABLISHED4051/ktorrentvWDA2b tcp 0 232 karen:42163 gabriela:4713 ESTABLISHED5733/amarokapp tcp 0 0 30.cpe-190-10-133:57884 tobey.rudd-o.com:ssh ESTABLISHED8500/ssh tcp 0 0 30.cpe-190-10-133:51115 85.17.40.227:www ESTABLISHED11635/ktorrent3bmrc tcp 0 0 30.cpe-190-10-133:34656 by2msg1104406.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 30.cpe-190-10-133:49335 by1msg3082119.phx.:msnp ESTABLISHED20312/kopete tcp 0 0 karen:60960 gabriela:ssh ESTABLISHED29903/ssh tcp6 0 0 localhost:ssh localhost:37979 ESTABLISHED26793/sshd: rudd-o
What if you want to know which programs are listening on network events on your computer? Use netstat -ltnpu to see that:
rudd-o@karen:~$ netstat -ltnpu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:7013 0.0.0.0:* LISTEN 26831/nxagent tcp 0 0 192.168.3.1:873 0.0.0.0:* LISTEN 2347/rsync tcp 0 0 0.0.0.0:8010 0.0.0.0:* LISTEN 20312/kopete tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 23655/smbd tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 23876/apache2 tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 5549/vsftpd tcp 0 0 192.168.3.1:25 0.0.0.0:* LISTEN 3520/master tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3520/master tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 23655/smbd tcp6 0 0 :::7013 :::* LISTEN 26831/nxagent tcp6 0 0 :::22 :::* LISTEN 655/sshd udp 0 0 0.0.0.0:32768 0.0.0.0:* 5306/avahi-daemon: udp 0 0 0.0.0.0:514 0.0.0.0:* 5147/syslogd udp 0 0 192.168.3.1:137 0.0.0.0:* 23653/nmbd udp 0 0 192.168.2.4:137 0.0.0.0:* 23653/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 23653/nmbd udp 0 0 192.168.3.1:138 0.0.0.0:* 23653/nmbd udp 0 0 192.168.2.4:138 0.0.0.0:* 23653/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 23653/nmbd udp 0 0 0.0.0.0:67 0.0.0.0:* 9964/dhcpd udp 0 0 0.0.0.0:68 0.0.0.0:* 20406/dhclient3 udp 0 0 0.0.0.0:8010 0.0.0.0:* 20312/kopete udp 0 0 0.0.0.0:5353 0.0.0.0:* 5306/avahi-daemon:
You can see I run a pretty tight machine — by the way, hackers, don’t bother because those services listening on all network interfaces are firewalled to the outside world.
The next page discusses mtr — the rich man’s traceroute.
August 23rd, 2007 at 10:28
[...] Læs mere her [...]
August 27th, 2007 at 7:39
[...] and keeping tabs of network traffic on Linux Rudd-O’s got a great article about the above, complete with strangely large font choices, but good [...]