Thanks Martin.

I'll have to play with this a bit.  I've used lsof to find out who/what 
had a file locked open but not for looking for network connections.

Many thanks to wes and Dale for their insights also.


\\||/
Rod
-- 
On 12/06/2014 01:26 PM, Martin A. Brown wrote:
>
> Hi there,
>
>> Is there a way to determine which 'program' on a Linux box is
>> creating network traffic.
>
> There's a pretty powerful (general purpose Unix) tool called 'lsof'
> which ships with, or is available on most distributions (that I
> have used).  The command-line syntax for the tool is not the most
> convenient, however, the tool does precisely what you want.  If you
> know the number of the local port, you can use lsof to get the
> process ID (and some other useful info).
>
> Suppose you suspect that a user on your multiuser system is browsing
> the 'www.pdxlinux.org' site with a raw TCP connection tool, a
> heart-rendingly awful and strictly forbidden activity (only w3m,
> lynx and elinks are allowed by policy!), and you know the port that
> the user is connecting from (here it is just a random high port):
>
>     $ lsof -n -P -M -i -- [email protected]:44098
>     COMMAND   PID    USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
>     socat   25285 mabrown    3u  IPv4 2650646      0t0  TCP 
> 172.18.18.172:44098->69.168.60.124:80 (ESTABLISHED)
>
> OK, so we know we need to chastise this 'mabrown' character, but we
> can see that he is using 'socat'.
>
> The options I like to add:
>
>     -n   turn off hostname lookup
>     -M   turn off any portmapper lookups
>     -P   turn off port name lookup
>     -i   the description of the port / socket to look up
>
> Of course, 'lsof' has about four hundred other options and
> invocation parameters.  If you simply want an inventory of the
> all open files, drop the '-i <name>' option.  There's much data to
> be had here.
>
> Good luck and enjoy,
>
> -Martin
>
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug

Reply via email to