3

I'd like to know which processes use the network:

  1. To inspect if any unknown to me (and potentially malicious) programs on my system use the network;
  2. To learn the amount of network traffic by the process, and further broken down by protocol HTTP, TCP, UDP, ICMP,..) and also by incoming/outgoing traffic.
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
latgarf
  • 131
  • 3
  • 3
    did you post this to the right site? im not sure u&l is the proper form for discussions on time travel. it is interesting though. – mikeserv Nov 26 '15 at 07:56
  • in my opinion, that is a question for a security and networking group, though I normally use open source for that purposes. The question is too broad and too vague. I do not feel like writing a treaty in Unix, security and networking. What do you exactly want to do? Is it at home or work? Are you part of the network team? Can you enlist their help? Can you modify the configuration of border gateway routers? The answer can vary a lot depending if you are doing it at home or work, and of your level of experience. I may give it a go. – Rui F Ribeiro Nov 26 '15 at 08:09
  • I don't think that's possible for the past. Although `/proc//` contains various counters for read and written bytes there is no distinction between storage and network. The same applies to live-monitoring the application via `/proc/`. The only solution that comes to my mind involves using pcap. Which means you have to monitor the application all the time in order to do proper accounting. – scai Nov 26 '15 at 08:14

3 Answers3

2

Just like top is for CPU usage, iftop is for network usage.

ffff
  • 133
  • 5
  • iftop is only as good as too debug temporarily things, I am afraid. – Rui F Ribeiro Nov 26 '15 at 08:10
  • You can periodically store the output of iftop and process it later using awk – ffff Nov 26 '15 at 08:18
  • You can, however iftop is just sampling what you are doing, is not viable to run in the long term for a variety of reasons. – Rui F Ribeiro Nov 26 '15 at 08:19
  • True. If you are not able to find a tool that meets your requirements, then you are better of starting a github project on it :) – ffff Nov 26 '15 at 08:25
  • I was already network and system administrator at two cable ISP providers...there are tools and protocols out there, it just gives you work piecing it all together. – Rui F Ribeiro Nov 26 '15 at 08:26
  • Then you must be knowing better. I just wrote the answer based on what I've used for such purpose :) @RuiFRibeiro – ffff Nov 26 '15 at 09:08
  • No problem. The limitation of iftop is that it only samples while it is running, and it´s vocation is for short periods of time. ntop is so much better for small use. – Rui F Ribeiro Nov 26 '15 at 09:48
1

What you are asking is a bit broad, so I will try to stick to the general terms. To rephrase it, you would like to have an idea over time of your network usage broken down by process AND by protocol.

For domestic use, try ntop. It will do more than you probably need, and to top if off, it shows historical graphics.

http://www.ntop.org/products/traffic-analysis/ntop/

There are tools that fit that job temporarily. For a general glance of what is happening, nethogs breaks down the applicational usage of network quite nicely.

http://nethogs.sourceforge.net

"NetHogs is a small 'net top' tool. Instead of breaking the traffic down per protocol or per subnet, like most tools do, it groups bandwidth by process. "

You also have dtrace4linux and sysdig, which can do very surprising things for accounting almost all aspects of server usage. There is a very interesting book about dtrace "Systems Performance: Enterprise and the Cloud" from Brendan Gregg.

For global accounting of traffic usage, you can either sample ifconfig, or the rx/tx transferred bytes in proc. If managing multiple servers, better use an NMS and SNMP.

If managing a network of servers, you would want to do iptables accounting in the router, or setup Netflow in your firewall or router, and listen and store the data in a DB. nfSen is particularly useful to visualize that kind of that.

As for security related attacks, IDS is a very interesting technology. You can run Snort in your box, however it is generally ran in a box that can listen to the traffic flowing.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
0

You can use netstat -p to get the list of processes with active connections

clobrano
  • 214
  • 1
  • 8