At first, using the tcpdump utility let's capture a connection from our workstation (client.net):
IP client.net.53058 > server.net.berknet: Flags [P.],i
This is an outbound connection to a server listening on TCP port 2005:
# getentii services berknet
berknet 2005/tcp csync
# grep berknet /etc/services
berknet 2005/tcp csync # csync for cyrus-imapd
In this article, I will list 3 utilities that can be used in order to view network connections and related information.
1. ss (socket statistics)
# ss -pr | grep berknet
ESTAB 0 0 client.net:53058 server.net:berknet users:(("python2.6",8665,9))
where 8665 is the process ID, python2.6 is the program name and options:
-p = list process IDs
-r = resolve IP addresses to hostnames
If you don't want to resolve the port number to a service name use the -n option:
# ss -prn | grep 8665
ESTAB 0 0 client.net:53058 server.net:2005 users:(("python2.6",8665,9))
In order to view more information regarding process with ID 8665 run:
# ps 8665
PID TTY STAT TIME COMMAND
8665 ? Sl 1:50 /usr/bin/python2.6 /usr/local/bin/collectd-proxy.py
where collectd-proxy.py is the application that is generating traffic on TCP port 2005.
By default ss, displays a list of established TCP connections, omitting the connections on ports, on which the server is listening on. Therefore,
• use the option -u (--udp) in order to list only UDP connections.
• use the option -l (--listening) in order to list only the open ports (i.e. the ports on which the server is listening).
• use the option -a (--all) in order to list all connections (TCP, UDP, connected and listening).
For example, ss -au will list all oubound UDP connectionsiii and open UDP ports.
2. lsof (list open files)
# lsof -P | grep :2005
python2.6 8665 IPv4 TCP client.net:53058->server.net:2005 (ESTABLISHED)i
-P option was used in order to display the port number instead of the service name.
3. netstat (network statistics)
# netstat --numeric-ports -p | grep :2005
tcp 0 0 client.net:53058 server.net:2005 ESTABLISHED 8665/python2.6
where options:
--numeric-ports = display the port number instead of the service name
-p = display the process ID and program name
Additionally,
• use the option -c (or --continuous) in order to keep refreshing the output of. netstat.
• use the option -l in order to list only the open ports.
• use the option -n in order to list only numeric ports and addresses.
i Some information have been omitted from the output in order to make it easier to read.
ii getent (get entries). Note that it can map a port to a service name too, e.g.
# getent services 2005
berknet 2005/tcp csync
iii Inbound UDP connections won't be listed since UDP is a connectionless protocol.