How to monitor network activity on a Linux system

There are many reasons why you may want to monitor the network activity on your Linux system. You may be troubleshooting a network issue, you may want to check to make sure that there are no malicious applications creating suspicious network activity, or you may simply want to know if any processes are phoning home. Whatever the reason, here are a few methods to see which processes on your system are engaged in network activity and who they are communicating with.

In this tutorial you will learn:

  • How to monitor network connections and listening services with netstat
  • How to monitor network connections and listening services with lsof
  • How to monitor network connections and listening services with ifconfig
  • What tools you can use to examine the data being sent over the network
How to monitor network activity on a Linux system

How to monitor network activity on a Linux system

Software requirements and conventions used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Distribution-independent
Software netstat, lsof, ifconfig, wireshark, tcpdump
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Netstat

Netstat is a powerful utility that can print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. We will be using it to accomplish the former.

Installing Netstat

On Debian and Debian based systems such as Ubuntu, use apt.

# apt install net-tools

On Red Hat Enterprise Linux and Red Hat based systems, use yum,

# yum install net-tools

On Arch based systems, use pacman.

# pacman -S net-tools



NOTE
In the following examples we are using a fresh install of RHEL 8 running in VirtualBox with guest additions installed

View listening processes

First, let’s view the processes that are listening for connections. To do so so enter the following command.

$ sudo netstat -tulpen

In this command t displays TCP connections, u displays UDP connections, l shows only listening sockets, p shows the program to which the connection belongs,e shows extended information, and n represents addresses, users, and ports numerically.

netstat -tulpen output

netstat -tulpen output

When considering the client server model that most networking software is based on, listening processes can be thought of as software that is in “server” mode. There is nothing surprising about the output given our setup. These are all of the processes that you would expect to be listening for network connections on a fresh install of RHEL 8 running in VirtualBox.

For each listening process you can see the protocol being used, local address and port it is listening on, the user it is running under, and the PID/Program name. There is one important distinction to note here. For tcp4/udp4 connections(simply listed as tcp and udp) where the Local Address is listed as 0.0.0.0 the process is listening for connections from any machine that is able to connect to it over the network, whereas when it is listed as 127.0.0.1 it is only listening for connections on the localhost(the machine that it is running on or itself) and cannot be connected to by other computers on the network. The same distinction is true for tcp6/udp6 when comparing a Local Address of ::(network facing) and ::1(localhost only).

View all network connections

Now let’s take a look at all of the current network connections. To do this enter the following command, which is similar to the previous one except that we use -a to view all sockets instead of -l to just view listening sockets.

$ sudo netstat -atupen


In addition to showing us what software we have listening for connections as “servers”, this command also shows us currently established connections to that software and any established network connections we have using software acting as a “client” such as a web browser.

netstat -atupen ouutput

netstat -atupen output

In the screenshot you will notice 2 connections in the ESTABLISHED state. Once again, there are no surprises here. One of them belongs to NetworkManager and works as a DHCP client to enable networking from the gateway server(In this case, the host machine). The other is a SSH connection to the machine that we made after port forwarding the ssh service with VirtualBox. Had we seen anything unexpected here then it may be cause for further investigation.

View established connections

You may find yourself in a situation where you only want to view the ESTABLISHED connections. This is as easy as piping the output of netstat to grep like so.

$ sudo netstat -atupen | grep ESTABLISHED
sudo netstat -atupen | grep ESTABLISHED output

sudo netstat -atupen | grep ESTABLISHED output

We entered the above command after navigating to wikipedia.com in firefox and the screenshot captures the connections established by firefox when reaching the site. As you can see there are four servers that firefox connected to; 91.198.174.192, 172.217.23.100, 216.58.215.67, and 104.111.215.142.
To see who these servers belong to we can query the ip addresses with whois like so.

$ whois 91.198.174.192| less

Doing so for each of them reveals that they belong to Wikimedia, Google, Google, and Akamai respectively.
This makes sense considering Wikimedia owns and hosts wikipedia and it is very common for sites to load resources that are hosted on servers owned by Google and Akamai. In fact, examining the source code of the wikipedia homepage reveals that it loads the Google Play Store app-badge from google.com and the Apple AppStore app-badge from apple.com.

Navigating to the urls for these 2 app badges individually and issuing the above netstat command does indeed verify that they are hosted on servers owned by Google and Akamai respectively.

If this sparked your interest in netstat then we have an article you can read to Learn more about using the netstat command

ss

The netstat command has long been a favorite of sysadmins, however it has recently been replaced by the ss command which boasts of being faster, easier, and more human readable than netstat. Let’s see how to accomplish the same actions as performed above using ss. Ss also has a -e option to view extended information, but that option has been omitted from the examples below because it produces additional information that may result in less readable output.

View listening processes

To view all listening processes enter the following.

$ sudo ss -tlunp


In this command t displays TCP connections, l shows only listening sockets, u displays UDP connections, n represents addresses, users, and ports numerically, and p shows the program to which the connection belongs.

View all network connections

To view all network connections enter the following, where a replaces l and shows all network sockets not just listening ones.

$ sudo ss -taunp

View established connections

If -a or -l are not included then ss will only show established connections. To view only established connections enter the following.

$ sudo ss -tunp

lsof

Just in case netstat and ss weren’t enough for you, we present lsof. Lsof is used to list open files. GNU/Linux inherited the UNIX design principle that everything is a file; this includes network connections. As a result, lsof can be used to view network activity in a manner similar to the aforementioned commands.

View all network connections

To view all network connections enter the following.

$ sudo lsof -nP -i

In this command n represents the addresses numerically, P represents ports numerically, and i suppresses the listing of any open files that are not considered network files.

View established connections

To view only established connections enter the following where the additional switches list all established TCP connections.

$ sudo lsof -nP -iTCP -sTCP:ESTABLISHED

View listening processes

To view listening processes using lsof enter the following.

$ sudo lsof -nP -iTCP -sTCP:LISTEN

This will miss any processes that are listening over UDP, so it may be desirable to instead enter the following to include those as well.

$ sudo lsof -nP -i | grep 'LISTEN\|UDP'

Monitoring data being sent over the network

We have seen how netstat, ss, and ifconfig can be used to monitor what network connections are being made and to whom, but it is often desirable to see exactly what data is being sent over the network. To accomplish this goal we require applications that are capable of packet sniffing. Two programs that specialize in this area are tcpdump and wireshark.

We have previously written guides on how to install wireshark on RHEL 8, The Basics of network protocol analyzer Wireshark On Linux, Filtering Packets In Wireshark on Kali Linux, and the Network Monitoring section of Linux system and hardware monitoring made efficient includes a nice introduction to tcpdump.

Conclusion

In this article we discussed how to view listening processes, established connections, and all network connections using netstat, ss, and ifconfig. We then introduced tools to examine the actual data being transmitted over the network and linked to great resources that are invaluable in discovering how to use them.



Comments and Discussions
Linux Forum