A thread on the Ubuntu-devel-discuss mailing list last month asked about how to find out what processes are making outgoing network connectsion on a Linux machine. It referenced Ubuntu bug 820895: Log File Viewer does not log "Process Name", which is specific to Ubuntu's iptables logging of apps that are already blocked in iptables ... but the question goes deeper.
Several years ago, my job required me to use a program -- never mind which one -- from a prominent closed-source company. This program was doing various annoying things in addition to its primary task -- operations that got around the window manager and left artifacts all over my screen, operations that potentially opened files other than the ones I asked it to open -- but in addition, I noticed that when I ran the program, the lights on the DSL modem started going crazy. It looked like the program was making network connections, when it had no reason to do that. Was it really doing that?
Unfortunately, at the time I couldn't find any Linux command that would tell me the answer. As mentioned in the above Ubuntu thread, there are programs for Mac and even Windows to tell you this sort of information, but there's no obvious way to find out on Linux.
The discussion ensuing in the ubuntu-devel-discuss thread tossed around suggestions like apparmor and selinux -- massive, complex ways of putting up fortifications your whole system. But nobody seemed to have a simple answer to how to find information about what apps are making network connections.
Well, it turns out there are a a couple ofsimple way to get that list. First, you can use ss:
$ ss -tp State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 ::1:58466 ::1:ircd users:(("xchat",1063,43)) ESTAB 0 0 192.168.1.6:57526 220.127.116.11:ircd users:(("xchat",1063,36)) ESTAB 0 0 ::1:ircd ::1:58466 users:(("bitlbee",1076,10)) ESTAB 0 0 192.168.1.6:54253 18.104.22.168:ircd users:(("xchat",1063,24)) ESTAB 0 0 192.168.1.6:52167 22.214.171.124:https users:(("firefox-bin",1097,47))
you might also want to add listening connections where programs
are listening for incoming connections:
Though this may be less urgent if you have a firewall in place.
-t shows only TCP connections (so you won't see all the interprocess communication among programs running on your machine). -p prints the process associated with each connection.
ss can do some other useful things, too, like show all the programs
connected to your X server right now, or show all your ssh connections.
man ss for examples.
Or you can use netstat:
$ netstat -A inet -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 imbrium.timochari:51800 linuxchix.osuosl.o:ircd ESTABLISHED 1063/xchat tcp 0 0 imbrium.timochari:59011 ec2-107-21-74-122.:ircd ESTABLISHED 1063/xchat tcp 0 0 imbrium.timochari:54253 adams.freenode.net:ircd ESTABLISHED 1063/xchat tcp 0 0 imbrium.timochari:58158 s3-1-w.amazonaws.:https ESTABLISHED 1097/firefox-bin
In both cases, the input is a bit crowded and hard to read. If all you want is a list of processes making connections, that's easy enough to do with the usual Unix utilities like grep and sed:
$ ss -tp | grep -v Recv-Q | sed -e 's/.*users:(("//' -e 's/".*$//' | sort | uniq $ netstat -A inet -p | grep '^tcp' | grep '/' | sed 's_.*/__' | sort | uniq
Finally, you can keep an eye on what's going on by using watch to run one of these commands repeatedly:
watch ss -tp
Using watch with one of the pipelines to print only process names is possible, but harder since you have to escape a lot of quotation marks. If you want to do that, I recommend writing a script.
And back to the concerns expressed on the Ubuntu thread, you could also write a script to keep logs of which processes made connections over the course of a day. That's definitely a tool I'll keep in my arsenal.
[ 12:28 Mar 24, 2012 More linux | permalink to this entry | comments ]