Use Netstat to monitor server connections in Linux February 10, 2011Posted by Tournas Dimitrios in Linux admin tools.
One of the most frequently used tools for monitoring network connections on a Linux server/ desktop is Netstat. Netstat returns a variety of information on active connections such as their current status, what hosts are involved, and which programs are involved. You can also see information about the routing table and even get statistics on your network interfaces. Netstat is a good all-around utility and it is an essential tool for the Linux administrator to master.
The program itself can usually be run by any user, so simply typing netstat at a prompt should tell if you if it’s installed. Netstat is part of the Net-tools package, along with such basic programs as ifconfig, arp, hostname, and route. If your system is missing these utilities, you should install them from your Linux distribution CD or download and install them manually.
The most commonly used options are :
|-a, –all||Show both listening and non-listening sockets. With the –interfaces option, show interfaces that are
|–numeric , -n||Show numerical addresses instead of trying to determine symbolic host, port or user names|
|-p, –program||Show the PID and name of the program to which each socket belongs.|
|-l, –listening||Show only listening sockets. (These are omitted by default.)|
|-t , –tcp||Show tcp related ports|
|-u , –udp||Show udp related ports|
|–route , -r||Display the kernel routing tables.|
|-c, –continuous||This will cause netstat to print the selected information every second continuously.|
|-e, –extend||Display additional information. Use this option twice for maximum detail.|
|–statistics , -s||Display summary statistics for each protocol.|
|–interface=iface , -i||Display a table of all network interfaces, or the specified iface).|
Let see a practical example :
On my example , I noticed that a strange process was running on my computer (hpiod ) .After a couple clicks on Goooooogle , I found this explanation :
hpiod and hpssd (These daemons provide extensive support for HP printers. They can safely be disabled if you never print using an HP printer)
Because I don’t run any printer on this computer , safely disabled this process .
An experienced hacked would compromise the “netstat” utility , and so it will never reveal his malicious applications on the netstat list . So it is a good habit to port-scan (with nmap) your computer from another pc on the network .