Thanks Martin. I'll have to play with this a bit. I've used lsof to find out who/what had a file locked open but not for looking for network connections.
Many thanks to wes and Dale for their insights also. \\||/ Rod -- On 12/06/2014 01:26 PM, Martin A. Brown wrote: > > Hi there, > >> Is there a way to determine which 'program' on a Linux box is >> creating network traffic. > > There's a pretty powerful (general purpose Unix) tool called 'lsof' > which ships with, or is available on most distributions (that I > have used). The command-line syntax for the tool is not the most > convenient, however, the tool does precisely what you want. If you > know the number of the local port, you can use lsof to get the > process ID (and some other useful info). > > Suppose you suspect that a user on your multiuser system is browsing > the 'www.pdxlinux.org' site with a raw TCP connection tool, a > heart-rendingly awful and strictly forbidden activity (only w3m, > lynx and elinks are allowed by policy!), and you know the port that > the user is connecting from (here it is just a random high port): > > $ lsof -n -P -M -i -- [email protected]:44098 > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > socat 25285 mabrown 3u IPv4 2650646 0t0 TCP > 172.18.18.172:44098->69.168.60.124:80 (ESTABLISHED) > > OK, so we know we need to chastise this 'mabrown' character, but we > can see that he is using 'socat'. > > The options I like to add: > > -n turn off hostname lookup > -M turn off any portmapper lookups > -P turn off port name lookup > -i the description of the port / socket to look up > > Of course, 'lsof' has about four hundred other options and > invocation parameters. If you simply want an inventory of the > all open files, drop the '-i <name>' option. There's much data to > be had here. > > Good luck and enjoy, > > -Martin > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
