On Linux, how can I tell which process is sending Ethernet packets?

Question

I'm running gkrellm which shows that some process on my Debian Linux system is writing approx 500KB/s to eth0. I'd like to find out which process it is. I know a little bit about netstat, but it shows a gazillion open TCP connections and I can't seem to make it produce any information about traffic.

Does anybody know how I can get a list of processes that are actually using the eth0 interface so that I can track down the offender?

FOLLOWUP: The Debian Linux distribution contains a nethogs package which solves this problem definitively. Related tools that are not quite on the mark include iftop, netstat, and lsof.

This worked for me for very short-lived UDP exchanges: https://serverfault.com/a/683327/119360 — Luc, May 09 '18 at 15:05

score 21 · Accepted Answer · answered Oct 19 '11 at 09:20

21

I prefer nethogs. It's a small ncurses-based console program that displays per-process network traffic status in a convenient way.

answered Oct 19 '11 at 09:20

Janne Pikkarainen

31,454
4
56
78

score 18 · Answer 2 · edited Oct 25 '21 at 20:07

18

netstat -ptu will give you the owning process ids (along with standard netstat info) for all tcp and udp conections. (Normal users will not be able to id all processes.)

If something is sending out a fair amount of constant traffic you should see it on Recv-Q or Send-Q columns 2 and 3 respectively.

Examples:
Recv-Q
sudo watch -n .1 'netstat -tup | grep -E "^[tc,ud]p[6]{0,1}" | sort -nr -k2'

Send-Q
sudo watch -n .1 'netstat -tup | grep -E "^[tc,ud]p[6]{0,1}" | sort -nr -k3'

If you suspect that that process is being triggered by another process ps axf.

edited Oct 25 '21 at 20:07

Michał Leon

105
4

answered Sep 29 '11 at 06:10

84104

12,698
6
43
75

(Not that the -u flag in necessary if you know that you are looking for TCP connections.) – andol Sep 29 '11 at 06:24

score 5 · Answer 3 · edited Sep 29 '11 at 06:21

5

A more manual operation if you are looking for just a process sending/receiving data would be to run the lsof command. This will list all open files for each process which will include network connections as they are file descriptors to the o.s.

Not sure if this is what you are looking for.

edited Sep 29 '11 at 06:21

Bart De Vos

17,761
6
62
81

answered Sep 29 '11 at 04:28

gdurham

879
6
10

score 4 · Answer 4 · answered Sep 29 '11 at 02:34

4

Install iftop (simple text-based) or ntop (graphical).

answered Sep 29 '11 at 02:34

David Schwartz

31,215
2
53
82

1

`iftop` only display bandwidth usage on an interface. – quanta Sep 29 '11 at 02:41
It shows much more than that. By default, it breaks it down by host. – David Schwartz Sep 29 '11 at 02:42
Can it list all processes that are using an interface? If so, could you please show us the command and options? – quanta Sep 29 '11 at 02:48
1

Not directly. But once you find the host, you can find the process, for example with `netstat -pn`. – David Schwartz Sep 29 '11 at 02:49

score 3 · Answer 5 · answered Sep 29 '11 at 02:30

3

Use tcpdump to sniff some packets on this interface:

# tcpdump -vv -s0 -i eth0 -c 100 -w /tmp/eth0.pcap

Copy to client and open with Wireshark to see what happens.

answered Sep 29 '11 at 02:30

quanta

50,327
19
152
213

Not the easiest way to get simple stats but anything even slightly more complicated and wireshark will shine! – Silverfire Oct 19 '11 at 05:57

On Linux, how can I tell which process is sending Ethernet packets?

5 Answers5

Linked