LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-20-2013, 03:56 AM   #1
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Rep: Reputation: Disabled
how to know what data is coming and


In my Redhat server , I know there are some data is writing to the server , these data is coming from remote server , but I do not know which files ( or in which directory ) is writing , could advise how can I know what files is updating in my server ? besides , as some data are coming from various remote servers , how could I know which remote server are connected , what service are using to connect these remote server , what data is copied from remote server ?

I only know there are some data is copied from remote servers , but don't where they come from , which files have been updated .

Very thanks
 
Old 11-20-2013, 04:26 AM   #2
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 481

Rep: Reputation: 179Reputation: 179
Hi there,

To identify files being updated, you probably need to identify the protocol being used first, then look at monitoring/logging available for the tools/services in question (for example HTTP & Apache).

If you don't know who is coming at you, or with which protocol, I'd suggest you look at tools like nmap or ntop to identify these.

Good luck!
 
Old 11-20-2013, 05:10 AM   #3
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by cliffordw View Post
Hi there,

To identify files being updated, you probably need to identify the protocol being used first, then look at monitoring/logging available for the tools/services in question (for example HTTP & Apache).

If you don't know who is coming at you, or with which protocol, I'd suggest you look at tools like nmap or ntop to identify these.

Good luck!
I can know the connected server details from nmap or ntop ? thanks
 
Old 11-20-2013, 05:32 AM   #4
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 481

Rep: Reputation: 179Reputation: 179
Hi,

Sorry, nmap is the wrong tool - meant tcpdump. This is a command line tool you can use to capture all network traffic in real time. The easiest way to make sense of it is probably to capture it in a file, and then look at it with a GUI tool like wireshark (https://www.wireshark.org/). See http://www.danielmiessler.com/study/tcpdump/ for a primer on tcpdump.

Ntop (http://www.ntop.org/) works a little differently. It runs in the background, looking at IP addresses and ports for the traffic, and doing some of the analysis for you. Results are available in a web interface. You need to leave it for a while to gather some stats first, so it's less real time. It's probably an easier tool to get started with, though.

Regards,

Clifford
 
Old 11-20-2013, 05:54 AM   #5
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
You could also use netstat or its newer version ss to see which sockets are open and thereby see which servers connect to you and which servers you connect to.
 
Old 11-20-2013, 10:26 AM   #6
ust
Senior Member
 
Registered: Mar 2003
Location: fasdf
Distribution: Debian / Suse /RHEL
Posts: 1,130

Rep: Reputation: 30
Quote:
Originally Posted by cliffordw View Post
Hi,

Sorry, nmap is the wrong tool - meant tcpdump. This is a command line tool you can use to capture all network traffic in real time. The easiest way to make sense of it is probably to capture it in a file, and then look at it with a GUI tool like wireshark (https://www.wireshark.org/). See http://www.danielmiessler.com/study/tcpdump/ for a primer on tcpdump.

Ntop (http://www.ntop.org/) works a little differently. It runs in the background, looking at IP addresses and ports for the traffic, and doing some of the analysis for you. Results are available in a web interface. You need to leave it for a while to gather some stats first, so it's less real time. It's probably an easier tool to get started with, though.

Regards,

Clifford
wireshark and tcpdump have gui tool run on linux server ? thanks
 
Old 11-20-2013, 11:46 AM   #7
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 481

Rep: Reputation: 179Reputation: 179
Wireshark is a GUI tool, and it will read dumps saved by tcpdump. Both are available for Linux servers, yes.
 
Old 11-20-2013, 11:47 AM   #8
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 481

Rep: Reputation: 179Reputation: 179
Quote:
Originally Posted by zhjim View Post
You could also use netstat or its newer version ss to see which sockets are open and thereby see which servers connect to you and which servers you connect to.
Ah, yes - forgot to mention netstat. This is the easiest thing to use if you know when the clients are connected, and can monitor while they're busy.
 
Old 11-20-2013, 10:24 PM   #9
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
thanks all reply ,

About the wireshark , I have installed it on linux server , could advise how can I use it , if I would like to use my PC browser to connect this wireshark in linux , is it possible ? or I only can connect the wireshark on linux gui ? thanks

Last edited by byran cheung; 11-20-2013 at 10:25 PM.
 
Old 11-21-2013, 12:55 AM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
As above, start with netstat to see which services are listening.
You can also identify nfs , samba shares with df and/or cat the /etc/fstab file and/or use mount cmd (no params reqd).

See also
Code:
iptables  -nvL
to check which ports are open or use nmap against your own address as shown by ifconfig.
Don't check 127.0.0.1 ...

You really shouldn't need to get into tcpdump and tshark/wireshark with any luck.

Last edited by chrism01; 11-21-2013 at 12:58 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to read data coming from serial connected procurve 2524 with python Tanc Programming 3 11-07-2012 07:44 AM
LXer: New Open Source data storage solution coming soon LXer Syndicated Linux News 0 11-06-2012 02:30 AM
LXer: Building a Cloud Ark for the Coming Data Flood LXer Syndicated Linux News 0 05-12-2010 12:00 PM
Serial, /dev/ttyS0 the data is coming in but I can't see it.. coffeecoffee Linux - Newbie 2 10-18-2009 06:15 AM
Minicom -- want to read data coming in a serial port ihopeto Linux - Newbie 2 04-12-2009 10:46 PM


All times are GMT -5. The time now is 04:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration