11

I can see that my server is sending out a lot of traffic. If I go to netstat -apln | grep httpd I can see that all the traffic is going to one IP.

Is there a way I can see what script / file is being used to send the data to that IP? Or any IP in general?

I know tcpdump can look at packets but can't seem a way to do this.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
user2078802
  • 111
  • 1
  • 1
  • 5

5 Answers5

5

The netstat command can only tell you which connections are currently open, but not how much traffic each has sent and received. To find out which connections are transferring most of the data, you would need to use other tools which could for example be iftop or tcpdump.

What you do next depends a lot on the lifetime of each connection and which end established the connection. If your end is the server, then you should be able to identify the listening socket belonging to the server process.

If it is indeed an httpd process (as you seem to imply in your question), then your web server access log is the place to look. One caveat to keep in mind is that each request is only logged once the transfer for that request has completed. This can make a significant difference if you are serving files, which are many MB in size.

If your end happens to be the client, then you won't see listening sockets, but in case the connections are long lived, you can find the connections and the corresponding process using netstat, once you have confirmed which connection is consuming bandwidth.

Should the investigation described above lead you to find that most traffic happens on short lived connections established from your end, then netstat isn't sufficient to identify which process is responsible. That particular scenario has been covered in an older question.

kasperd
  • 29,894
  • 16
  • 72
  • 122
  • The reason I know there is a lot of outgoing traffic is because of the IPS we have, it shows the server is client and hitting another server on a constant basis. I need to figure out which file is sending all the traffic out as I am guessing it probably is a malicious file. – user2078802 Nov 28 '14 at 23:26
3

You can try to use lsof to check which processes are using the network connections.

List al network connections: lsof -i

List all the TCP or UDP connections: lsof -i tcp; lsof -i udp;

Processes listening on a particular port: lsof -i :80

List network files which are being used by a process: lsof -i -a -p 234

List the network files opened by the processes starting with ssh: lsof -i -a -c ssh

b13n1u
  • 980
  • 9
  • 14
  • 1
    lsof will bee helpful on client side (which is the end that seems being the concern), but only in case the connection is living when the command is played. For short-living connections, repeated use of 'lsof -i tcp' may give result. – tonioc Nov 29 '14 at 03:53
  • 1
    This answer helped me identify traffic originating from a specific PID on my machine in wireshark, i.e. find the PID, use lsof to find the destination the application is sending traffic to, then filter in wireshark/tcpdump. thx – lobi Jan 30 '18 at 18:55
2

nethogs reports bandwidth used per process, updated once per second.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
1

netstat -nlpt (must run as sudo or root) will return the pid/name of the process responsible for a connection. Since you know the IP you should be able to simply do

sudo netstat -nlpt | grep xx.xx.xx.xx

and see which process it is. My skill is more in windows so my syntax could be a bit off. I looked up the switches for linux and found this as #5 here.

JoelAZ
  • 131
  • 7
1

This was an interesting question, and it looks like the kernel does not store counters for per-process network throughput utilization by default, but a kernel module netatop[1] adds this capability, which then makes it available for logging and reporting using atop[2].

[1]: See http://www.atoptool.nl/netatop.php
[2]: See http://www.atoptool.nl/

DTK
  • 1,688
  • 10
  • 15