Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'd like to know if it's possible to have something that listens to all network traffic and would give me, for any particular connection, what process is writing / reading to/from it?
1. tcpdump listens to everything, continuously, and prints the packets, but not the process ids bound to them.
2. ss, netstat and lsof print the process id or command name, but they don't listen to all packets. They have a continuous mode, but it seems like they're really just recurrent snapshots. It's not capturing traffic in between.
What are my other options?
My ultimate goal is to have a bash function/script that would give me the process IDs or application names connecting to a remote IP. I already have the necessary bash code that lists all connections to the outside world with tcpdump.
Code:
root@messagerie-principale[10.10.10.19] ~ # net.connexions.to.outside
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:38:33.345155 10.10.10.19.56487 - 158.69.65.151.443: CA Quebec OVH Hosting, Inc.
10:38:34.104469 10.10.10.19.56488 - 158.69.65.151.443: CA Quebec OVH Hosting, Inc.
I need a companion that would print further info about a particular remote IP (what process connects to it). For the example above, I'm curious to know what connects to 158.69.65.151?
netstat -p will list all the living connections and will tell you what processes are using them. Monitoring all the incoming/outgoing traffic may require a lot of resources, if you want to connect them to the running apps/services/daemons/whatever in real time.
it seems that netstat is listing what it sees at the moment you invoke it (snapshot). I need something that works continuously, and netstat -c is only making snapshots at every s seconds.
it seems that netstat is listing what it sees at the moment you invoke it (snapshot). I need something that works continuously, and netstat -c is only making snapshots at every s seconds.
See previous post. How much data can you (and your storage) handle? What do you mean by continuously? Do you want to know the state of your network in every microsecond?
Again, look for [network] monitoring software like nagios.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.