πŸ–§ How to monitor network activity on Linux system

There are many reasons why you might want to monitor network activity on your Linux system.

You can troubleshoot the network, you can check for malicious applications that create suspicious network activity, etc.

Whatever the reason, below we will look at several ways to find out which processes in your system are involved in network activity and with whom they communicate.

Netstat

Netstat is a powerful utility that can display network connections, routing tables, interface statistics, masquerade connections, etc.

We will use it to achieve the objectives of this guide.

Installing Netstat

On Debian and Debian based systems like Ubuntu use apt.

# apt install net-tools

On systems based on Red Hat Enterprise Linux and Red Hat, use yum,

# yum install net-tools

On Arch based systems use pacman.

# pacman -S net-tools

View network processes

First, let’s take a look at the processes.

To do this, enter the following command:

$ sudo netstat -tulpen

In this command, t displays TCP connections, u displays UDP connections, l shows only listening sockets, p shows the program to which the connection belongs, e shows extended information, and n represents addresses, users, and ports numerically. When considering the client-server model on which most networking software is based, processes can be thought of as software running in “server” mode. For each process, you can see the protocol used, the local address and port that it is listening to, the user under which it is running, and the name of the PID / program. One important difference should be noted here. For tcp4 / udp4 connections (just listed as tcp and udp) where the local address is listed as 0.0.0.0, the process listens for connections from any computer that can connect to it over the network, whereas when it is listed as 127.0 .0.1 it only listens connections on the local host (the machine it is running on or itself) and cannot be connected to other computers on the network. The same difference is true for tcp6 / udp6 when comparing the local address:: (facing the network) and :: 1 (localhost only).

How to view all network connections

Now let’s take a look at all the current network connections.

To do this, enter the following command, which is similar to the previous one, except that we use -a to view all sockets instead of -l to simply view the listening sockets.

$ sudo netstat -atupen

This command not only shows us which software is listening for connections as “servers”, but it also shows us the currently established connections to that software and any network connections we have established using the software acting as the “client ”Such as a web browser.

View installed connections

You may find yourself in a situation where you only want to view connections of type ESTABLISHED.

ss

Netstat has long been a favorite of sysadmins, but has recently been replaced by ss, which boasts that it is faster, simpler, and more readable than netstat. Let’s see how to perform the same steps as above using ss. Ss also has a -e option to view extended information, but this option has been omitted in the examples below because it provides additional information that could lead to less readable output. View processes

To view all processes, enter the following:

$ sudo ss -tlunp

In this command, t displays TCP connections, l shows only listening sockets, u displays UDP connections, n represents addresses, users, and ports numerically, and p shows the program to which the connection belongs. View all network connections

To view all network connections, enter the following, where a replaces l and shows all network sockets, not just listening.

$ sudo ss -taunp

View installed connections

If -a or -l are not included, then ss will show only established connections.

To view only established connections, enter the following.

$ sudo ss -tunp

lsof

In case you were missing netstat and ss, we present lsof. Lsof is used to list open files. GNU / Linux inherits the UNIX design principle that everything is a file; this includes network connections. As a result, lsof can be used to view network activity in a similar way to the above commands. How to view all network connections

Enter the following to view all network connections.

$ sudo lsof -nP -i

In this command, n represents addresses in numeric form, P represents numeric ports, and i suppresses listing of any open files that are not considered network files. View installed connections

To view only established connections, enter the following command, where additional switches list all established TCP connections.

$ sudo lsof -nP -iTCP -sTCP:ESTABLISHED

View processes

To view listening processes using lsof, enter the following.

$ sudo lsof -nP -iTCP -sTCP:LISTEN

This will skip any processes that are listening on UDP, so it may be desirable to enter the following instead to enable them.

$ sudo lsof -nP -i | grep 'LISTEN|UDP'

Sidebar