How can I monitor all outgoing requests/connections from my machine?
Solution 1
Use netstat
. For example
$ netstat -nputw
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
[...]
tcp 0 0 192.168.25.222:22 192.168.0.134:42903 ESTABLISHED 32663/sshd: gert [p
lists all UDP (u
), TCP (t
) and RAW (w
) outgoing connections (not using l
or a
) in a numeric form (n
, prevents possible long-running DNS queries) and includes the program (p
) associated with that.
Consider adding the c
option to get output being updated continuously.
Solution 2
I've tried a bunch of tools, including iftop
, ntop
, iptraf
, and of course the very useful built-in netstat -tupln
(supported options are OS-dependent), but the most practical for my use case turned out to be nethogs
- it aggregates connections by the originating app, and is the least noisy of all.
Installable via:
sudo apt-get install nethogs
Run as root:
sudo nethogs
If your goal is to just see all TCP connections initiated by any app then you could use:
sudo tcpdump -i lo -A | grep Host:
Solution 3
If you just want to just log every connection attempt, the easiest is probably iptables
LOG
target on Linux (or the equivalent firewall logging feature on your system).
If you need more information like duration of the connection and amount of data exchanged in both directions, then conntrackd
(on Linux) is probably the best option.
However note that those two above only log the traffic that goes through netfilter, which is generally all the traffic but doesn't account traffic generated with IP stacks in user space (like virtual machines or anything using raw sockets) or bridged traffic.
For more general solutions, you can have a look at things like argus
, bro-ids
, sancp
or ntop
that log all sorts of information based on traffic they sniff on an interface.
Solution 4
What I think you want to do is get a list of listening ports and then remove them from any other TCP connections, then that will be all of the outgoing connections. The ss (socket status) command outputs "Local Address:Port" and "Peer Address:Port" columns, we need to remove the listening ports from the "Local Address:Port" column and not the "Peer Address:Port" column, otherwise you may miss some outgoing connections. So to achieve that I'm using \s{2}+
behind the ":$port" string in the grep to match on the spaces that exist behind the "Local Address:Port" column; that column has two or more white spaces behind it, where the "Peer Address:Port" has one space and then a newline (grrr... should just have a newline, IMO, then I could have used \s+
instead of \s{2}+
.) Normally I might try to use the filtering functionality of ss, like with ss -tn state established '(sport != :<port1> and sport !=:<port2>)' src <ip address>
. But it appears there is a limit on how long that string can be, it bombed out on a system where I had a lot of listening ports. So I'm trying to do the same thing with grep. I believe the following will work:
FILTER=$(ss -tn state listening | gawk 'NR > 1 {n=split($3,A,":"); B[NR-1]=A[n]} END {for (i=1; i<length(B); i++) printf ":%s\\s{2}+|", B[i]; printf ":%s\\s{2}+", B[i]}')
ss -tn state established dst :* | grep -P -v "$FILTER"
Note this depends on the version of ss you're using, older versions (like: ss utility, iproute2-ss111117) has a different output format, so you may have to use $3 instead of $4 in awk. Note also ss -tln
and ss -tn state listening
gives you different output, which is a little counter-intuitive to me. YMMV.
I found a slightly more elegant solution that doesn't require knowing host's IP, ss -tn state established dst :*
works well, I modified the command lines above.
Solution 5
tcpdump
allows you to see all IP traffic flowing to/from a specific interface with the ability to filter based on certain criteria. tcpdump
is typically installed on most *nix systems by default, if not there's usually a port somewhere to grab it for your specific distro.
trusktr
Updated on September 18, 2022Comments
-
trusktr over 1 year
My machine is a server so I want to ignore connections being made to my server (e.g. when someone visits my website). I want to see only connections/requests being made by my server to other places.
How do I see only those outgoing connections?
EDIT: I'm new to these type of things. What I'm trying to do is just see if anything from my server is being sent out other than data for my web apps. For example, if someone visits my websites, then obviously my server will send out data to the client's browser. But suppose there's also code somewhere in my web app's framework that sends statistical data to somewhere else I'm not aware of. I'd like to see those places my server is sending data to, if any. It's probably not likely, but suppose you decide to use a php or nodejs framework that you didn't write: there's a small chance it may send some type of data somewhere. If so, that's what I'd like to see.
-
trusktr over 11 yearsThanks. That's good info. Could you take a look at my updated question?
-
trusktr over 11 yearsNice, that's also available on Arch Linux: archlinux.org/packages/community/i686/conntrack-tools -- Could you provide an example of how you'd use conntrack to see only connections started from local but not connections started from elsewhere?
-
ruffin over 9 yearsCompletely inappropriate hijack (except that this answer googled well): This answer works with Windows as well. To use
netstat
in "continuous mode" there,-c
doesn't work. You use numbers instead, likenetstat -na 1 | find "[Scan_Host_IP_Addr]"
for it to update every1
second (in this example). (source). -
G-Man Says 'Reinstate Monica' about 9 yearsWould you please add some explanation of how this works? (Edit the answer; don't post clarifying information as comments.) I think I've partly figured it out. It seems like it might need a bit more work. I ran
ss -tn state listening
on a host that runs an FTP server, and naturally the command showed that the machine was listening on port 21. So doesn't that mean that theegrep -v
will filter out any remote hosts whose IP address includes "21" (including "210", "211", "212", ...)? Also, is theasort
really necessary, or just window-dressing? -
Dale about 9 yearsI had to fix pretty much whole thing, the corrected script is above.
-
Dale about 9 yearsUltimately, it would be a lot nicer if ss or netstat would just include this functionality in it. Do a
ss --out
to get a list of outgoing connections. -
trusktr about 9 yearsNice, I like this answer. I'll try it out when I get back to improving security on my server. :D
-
Dale almost 9 yearsLooks like this could be used for UDP, too, but you just have to use different flags and states, of course.
-
awm about 7 yearsIs there a way to display more user-friendly information such as domain names, info about the ip? Perhaps using a custom script?
-
gertvdijk about 7 years@awm Well, that would be doable with
strace
on the process, filtering for nameserver lookups (no details, this is not a full answer to it). Alternatively, you could show the reverse DNS of the IPs listed innetstat
by omitting then
option included in my answer.