Help more people learn by sharing this post!
Watching your network
There is a number of tools you can use in Linux to see what is going on your machine at the network level, one of the most common is netstat. This command will show you all the connections on your system, including some that you may not be interested in, like UNIX sockets. There are a few flags you can pass to netstat, my favourite set of flags is: -antp
|
1 2 3 4 |
-a all -n show ip instead of host names -t show only tcp connections -p show process id/name |
Another command that will give you similar results is: lsof -nPi
What if you wanted to see the 10 ip addresses with the most connection to your server? You could use a one-liner like this one I came up with:
|
1 |
netstat -ant | grep -i establ | awk -F" " '{print $5}' | cut -d':' -f 1 | sort -n | uniq -c | sort -nr | head -n10 |
You can also see the connections live as they are being made. For that you can use the “watch” command, which will re-run any command every X seconds (by default 2 seconds) and show you the output. So if you wanted to see all the connections for port 80 updated every five seconds you would do this:
|
1 |
watch -n5 "netstat -antp | grep :80" |
There are other tools that also let you see live connections, and even get an idea of the traffic you are getting. These tools are iptraf and iftop . If you need to see the actual data going through your network you will need a packet sniffer like tcpdump or wireshark.
Related posts:
Tshark network forensics