Hi there, > Is there a way to determine which 'program' on a Linux box is > creating network traffic.
There's a pretty powerful (general purpose Unix) tool called 'lsof' which ships with, or is available on most distributions (that I have used). The command-line syntax for the tool is not the most convenient, however, the tool does precisely what you want. If you know the number of the local port, you can use lsof to get the process ID (and some other useful info). Suppose you suspect that a user on your multiuser system is browsing the 'www.pdxlinux.org' site with a raw TCP connection tool, a heart-rendingly awful and strictly forbidden activity (only w3m, lynx and elinks are allowed by policy!), and you know the port that the user is connecting from (here it is just a random high port): $ lsof -n -P -M -i -- [email protected]:44098 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME socat 25285 mabrown 3u IPv4 2650646 0t0 TCP 172.18.18.172:44098->69.168.60.124:80 (ESTABLISHED) OK, so we know we need to chastise this 'mabrown' character, but we can see that he is using 'socat'. The options I like to add: -n turn off hostname lookup -M turn off any portmapper lookups -P turn off port name lookup -i the description of the port / socket to look up Of course, 'lsof' has about four hundred other options and invocation parameters. If you simply want an inventory of the all open files, drop the '-i <name>' option. There's much data to be had here. Good luck and enjoy, -Martin -- Martin A. Brown http://linux-ip.net/ _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
