How can I monitor all outgoing requests/connections from my machine?

command-line networking shell-script security

424,420

Solution 1

Use netstat. For example

$ netstat -nputw
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
[...]
tcp        0      0 192.168.25.222:22       192.168.0.134:42903     ESTABLISHED 32663/sshd: gert [p

lists all UDP (u), TCP (t) and RAW (w) outgoing connections (not using l or a) in a numeric form (n, prevents possible long-running DNS queries) and includes the program (p) associated with that.

Consider adding the c option to get output being updated continuously.

Solution 2

I've tried a bunch of tools, including iftop, ntop, iptraf, and of course the very useful built-in netstat -tupln (supported options are OS-dependent), but the most practical for my use case turned out to be nethogs - it aggregates connections by the originating app, and is the least noisy of all.

Installable via:

sudo apt-get install nethogs

Run as root:

sudo nethogs

If your goal is to just see all TCP connections initiated by any app then you could use:

sudo tcpdump -i lo -A | grep Host:

Solution 3

If you just want to just log every connection attempt, the easiest is probably iptables LOG target on Linux (or the equivalent firewall logging feature on your system).

If you need more information like duration of the connection and amount of data exchanged in both directions, then conntrackd (on Linux) is probably the best option.

However note that those two above only log the traffic that goes through netfilter, which is generally all the traffic but doesn't account traffic generated with IP stacks in user space (like virtual machines or anything using raw sockets) or bridged traffic.

For more general solutions, you can have a look at things like argus, bro-ids, sancp or ntop that log all sorts of information based on traffic they sniff on an interface.

Solution 4

What I think you want to do is get a list of listening ports and then remove them from any other TCP connections, then that will be all of the outgoing connections. The ss (socket status) command outputs "Local Address:Port" and "Peer Address:Port" columns, we need to remove the listening ports from the "Local Address:Port" column and not the "Peer Address:Port" column, otherwise you may miss some outgoing connections. So to achieve that I'm using \s{2}+ behind the ":$port" string in the grep to match on the spaces that exist behind the "Local Address:Port" column; that column has two or more white spaces behind it, where the "Peer Address:Port" has one space and then a newline (grrr... should just have a newline, IMO, then I could have used \s+ instead of \s{2}+.) Normally I might try to use the filtering functionality of ss, like with ss -tn state established '(sport != :<port1> and sport !=:<port2>)' src <ip address>. But it appears there is a limit on how long that string can be, it bombed out on a system where I had a lot of listening ports. So I'm trying to do the same thing with grep. I believe the following will work:

FILTER=$(ss -tn state listening | gawk 'NR > 1 {n=split($3,A,":"); B[NR-1]=A[n]} END {for (i=1; i<length(B); i++) printf ":%s\\s{2}+|", B[i]; printf ":%s\\s{2}+", B[i]}')

ss -tn state established dst :* | grep -P -v "$FILTER"

Note this depends on the version of ss you're using, older versions (like: ss utility, iproute2-ss111117) has a different output format, so you may have to use $3 instead of $4 in awk. Note also ss -tln and ss -tn state listening gives you different output, which is a little counter-intuitive to me. YMMV.

I found a slightly more elegant solution that doesn't require knowing host's IP, ss -tn state established dst :* works well, I modified the command lines above.

Solution 5

tcpdump allows you to see all IP traffic flowing to/from a specific interface with the ability to filter based on certain criteria. tcpdump is typically installed on most *nix systems by default, if not there's usually a port somewhere to grab it for your specific distro.

View more solutions

424,420

Author by

trusktr

Updated on September 18, 2022

Comments

trusktr over 1 year

My machine is a server so I want to ignore connections being made to my server (e.g. when someone visits my website). I want to see only connections/requests being made by my server to other places.

How do I see only those outgoing connections?

EDIT: I'm new to these type of things. What I'm trying to do is just see if anything from my server is being sent out other than data for my web apps. For example, if someone visits my websites, then obviously my server will send out data to the client's browser. But suppose there's also code somewhere in my web app's framework that sends statistical data to somewhere else I'm not aware of. I'd like to see those places my server is sending data to, if any. It's probably not likely, but suppose you decide to use a php or nodejs framework that you didn't write: there's a small chance it may send some type of data somewhere. If so, that's what I'd like to see.
trusktr over 11 years

Thanks. That's good info. Could you take a look at my updated question?
trusktr over 11 years

Nice, that's also available on Arch Linux: archlinux.org/packages/community/i686/conntrack-tools -- Could you provide an example of how you'd use conntrack to see only connections started from local but not connections started from elsewhere?
ruffin over 9 years

Completely inappropriate hijack (except that this answer googled well): This answer works with Windows as well. To use netstat in "continuous mode" there, -c doesn't work. You use numbers instead, like netstat -na 1 | find "[Scan_Host_IP_Addr]" for it to update every 1 second (in this example). (source).
G-Man Says 'Reinstate Monica' about 9 years

Would you please add some explanation of how this works? (Edit the answer; don't post clarifying information as comments.) I think I've partly figured it out. It seems like it might need a bit more work. I ran ss -tn state listening on a host that runs an FTP server, and naturally the command showed that the machine was listening on port 21. So doesn't that mean that the egrep -v will filter out any remote hosts whose IP address includes "21" (including "210", "211", "212", ...)? Also, is the asort really necessary, or just window-dressing?
Dale about 9 years

I had to fix pretty much whole thing, the corrected script is above.
Dale about 9 years

Ultimately, it would be a lot nicer if ss or netstat would just include this functionality in it. Do a ss --out to get a list of outgoing connections.
trusktr about 9 years

Nice, I like this answer. I'll try it out when I get back to improving security on my server. :D
Dale almost 9 years

Looks like this could be used for UDP, too, but you just have to use different flags and states, of course.
awm about 7 years

Is there a way to display more user-friendly information such as domain names, info about the ip? Perhaps using a custom script?
gertvdijk about 7 years

@awm Well, that would be doable with strace on the process, filtering for nameserver lookups (no details, this is not a full answer to it). Alternatively, you could show the reverse DNS of the IPs listed in netstat by omitting the n option included in my answer.