nethogs not helping understanding suspicious network traffic

6

I'm using ubuntu trusty, and my system monitor detects a suspicious network traffic: sistematically I have a 600kB/s download and a 550KB/s upload traffic.

using NetHogs I get:

NetHogs version 0.8.0

  PID USER     PROGRAM                            DEV        SENT      RECEIVED       
?     root     192.168.0.3:2049-192.168.0.2:677          406.888  557.587 KB/sec
2861  paolo    /usr/bin/gnome-shell               eth1     0.264    2.196 KB/sec
?     root     unknown TCP                                 0.000    0.000 KB/sec

  TOTAL                                                  407.196  559.816 KB/sec

The first line shows my suspicious traffic, but it doesn't give me any info about what process is generating the traffic.

How do I know what proces is responsible for that traffic?

Should I worry about it?

Paolo Benvenuto

Posted 2014-06-20T21:13:50.510

Reputation: 299

Answers

3

You can use netstat -tulpn | grep <portnumber> to find which process is listening on a certain port. Alternatively you can use the lsof utility to view open connections, including the process ID.

That said, the connection in Nethogs output seems like an NFS connection (based on the port numbers). Do you have an NFS mount on your system?

mtak

Posted 2014-06-20T21:13:50.510

Reputation: 11 805

sudo netstat -tulpn|grep 2049 doesn't return anything on the system where nethogs detects the "192.168.0.3:2049-192.168.0.2:677" program running, and I haven't any nfs mount... neither lsof|grep 2049 detects anything – Paolo Benvenuto – 2014-06-21T09:06:29.927

sudo netstat --inet -ap shows me: tcp 0 1 192.168.0.2:677 192.168.0.3:2049 SYN_SENT - and I don't know the process; what does the SYN_SENT state mean? – Paolo Benvenuto – 2014-06-21T13:35:10.470

RESOLVED: it was an impossible nfs mount try. – Paolo Benvenuto – 2014-06-21T14:16:27.997

Asked: 2014-06-20T21:13:50.510

Viewed: 3 037 times

Active: 2014-06-20T22:05:16.747