20

I'm running gkrellm which shows that some process on my Debian Linux system is writing approx 500KB/s to eth0. I'd like to find out which process it is. I know a little bit about netstat, but it shows a gazillion open TCP connections and I can't seem to make it produce any information about traffic.

Does anybody know how I can get a list of processes that are actually using the eth0 interface so that I can track down the offender?


FOLLOWUP: The Debian Linux distribution contains a nethogs package which solves this problem definitively. Related tools that are not quite on the mark include iftop, netstat, and lsof.

030
  • 5,731
  • 12
  • 61
  • 107
Norman Ramsey
  • 645
  • 2
  • 10
  • 24

5 Answers5

21

I prefer nethogs. It's a small ncurses-based console program that displays per-process network traffic status in a convenient way.

Janne Pikkarainen
  • 31,454
  • 4
  • 56
  • 78
18

netstat -ptu will give you the owning process ids (along with standard netstat info) for all tcp and udp conections. (Normal users will not be able to id all processes.)

If something is sending out a fair amount of constant traffic you should see it on Recv-Q or Send-Q columns 2 and 3 respectively.

Examples:
Recv-Q
sudo watch -n .1 'netstat -tup | grep -E "^[tc,ud]p[6]{0,1}" | sort -nr -k2'

Send-Q
sudo watch -n .1 'netstat -tup | grep -E "^[tc,ud]p[6]{0,1}" | sort -nr -k3'

If you suspect that that process is being triggered by another process ps axf.

Michał Leon
  • 105
  • 4
84104
  • 12,698
  • 6
  • 43
  • 75
  • (Not that the -u flag in necessary if you know that you are looking for TCP connections.) – andol Sep 29 '11 at 06:24
5

A more manual operation if you are looking for just a process sending/receiving data would be to run the lsof command. This will list all open files for each process which will include network connections as they are file descriptors to the o.s.

Not sure if this is what you are looking for.

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
gdurham
  • 879
  • 6
  • 10
4

Install iftop (simple text-based) or ntop (graphical).

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
3

Use tcpdump to sniff some packets on this interface:

# tcpdump -vv -s0 -i eth0 -c 100 -w /tmp/eth0.pcap

Copy to client and open with Wireshark to see what happens.

quanta
  • 50,327
  • 19
  • 152
  • 213
  • Not the easiest way to get simple stats but anything even slightly more complicated and wireshark will shine! – Silverfire Oct 19 '11 at 05:57