How to make netstat on Linux only show OUTBOUND tcp connections?

Question

My ubuntu server is infected and there is a process making a bunch of HTTP requests to a bunch of websites (sucks!). I have added the following to my firewall (UFW):

sudo ufw deny out proto tcp to any port 1:65535

To                         Action      From
--                         ------      ----
1:65535/tcp                DENY OUT    Anywhere

Now I would like to use netstat to list only OUTBOUND tcp connections, not inbound. How can I do that?

score 17 · Answer 1 · edited Apr 13 '17 at 12:22

17

netstat -nputw should do the trick. Add c for continuous updating.

Also, this may be more what you're looking for: https://askubuntu.com/questions/252179/how-to-inspect-outgoing-http-requests-of-a-single-application

edited Apr 13 '17 at 12:22

Community

1

answered Feb 21 '15 at 06:16

RyanH

327
1
6

score 8 · Accepted Answer · edited Feb 21 '15 at 07:36

8

If you only want outbound tcp connections, I think you can use

netstat -atn | tr -s ' '| cut -f5 -d ' ' | grep -v '127.0.0.1'

That will show all connections whose destination is not your localhost. You can add your internal ip, say

netstat -atn | tr -s ' '| cut -f5 -d ' ' | grep -v '127.0.0.1\|192.168.0.15'

edited Feb 21 '15 at 07:36

MadHatter

78,442
20
178
229

answered Feb 21 '15 at 06:27

sfault

164
7

What filters the 'outbound' here? Outbound means only connections INITIATED by an internal process – Nathan B Dec 16 '21 at 18:54

How to make netstat on Linux only show OUTBOUND tcp connections?

2 Answers2