[PLUG] Interesting question came up on the way to fixing a Windows system
Martin A. Brown
martin at linux-ip.net
Sat Dec 6 21:26:52 UTC 2014
Hi there,
> Is there a way to determine which 'program' on a Linux box is
> creating network traffic.
There's a pretty powerful (general purpose Unix) tool called 'lsof'
which ships with, or is available on most distributions (that I
have used). The command-line syntax for the tool is not the most
convenient, however, the tool does precisely what you want. If you
know the number of the local port, you can use lsof to get the
process ID (and some other useful info).
Suppose you suspect that a user on your multiuser system is browsing
the 'www.pdxlinux.org' site with a raw TCP connection tool, a
heart-rendingly awful and strictly forbidden activity (only w3m,
lynx and elinks are allowed by policy!), and you know the port that
the user is connecting from (here it is just a random high port):
$ lsof -n -P -M -i -- 4 at 0.0.0.0:44098
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
socat 25285 mabrown 3u IPv4 2650646 0t0 TCP 172.18.18.172:44098->69.168.60.124:80 (ESTABLISHED)
OK, so we know we need to chastise this 'mabrown' character, but we
can see that he is using 'socat'.
The options I like to add:
-n turn off hostname lookup
-M turn off any portmapper lookups
-P turn off port name lookup
-i the description of the port / socket to look up
Of course, 'lsof' has about four hundred other options and
invocation parameters. If you simply want an inventory of the
all open files, drop the '-i <name>' option. There's much data to
be had here.
Good luck and enjoy,
-Martin
--
Martin A. Brown
http://linux-ip.net/
More information about the PLUG
mailing list