jump to navigation

Use Netstat to monitor server connections in Linux February 10, 2011

Posted by Tournas Dimitrios in Linux admin tools.

One of the most frequently used tools for monitoring network connections on a Linux server/ desktop is Netstat. Netstat returns a variety of information on active connections such as their current status, what hosts are involved, and which programs are involved. You can also see information about the routing table and even get statistics on your network interfaces. Netstat is a good all-around utility and it is an essential tool for the Linux administrator to master.

The program itself can usually be run by any user, so simply typing netstat at a prompt should tell if you if it’s installed. Netstat is part of the Net-tools package, along with such basic programs as ifconfig, arp, hostname, and route. If your system is missing these utilities, you should install them from your Linux distribution CD or download and install them manually.

The most commonly used options are :

-a, –all Show  both  listening  and non-listening sockets.  With the –interfaces option, show interfaces that are
not marked
–numeric , -n Show numerical addresses instead of trying to determine symbolic host, port or user names
-p, –program Show the PID and name of the program to which each socket belongs.
-l, –listening Show only listening sockets.  (These are omitted by default.)
-t , –tcp Show tcp related ports
-u , –udp Show udp related ports
–route , -r Display the kernel routing tables.
-c, –continuous This will cause netstat to print the selected information every second continuously.
-e, –extend Display additional information.  Use this option twice for maximum detail.
–statistics , -s Display summary statistics for each protocol.
–interface=iface , -i Display a table of all network interfaces, or the specified iface).

Let see a practical example :

On my example , I noticed that a strange process  was running on my computer (hpiod ) .After a couple clicks on Goooooogle , I found this explanation :

hpiod and hpssd (These daemons provide extensive support for HP printers. They can safely be disabled if you never print using an HP printer)

Because I don’t run any printer on this computer , safely disabled this process .

An experienced hacked would compromise the “netstat” utility , and so it will never reveal his malicious applications on the netstat list . So it is a good habit to port-scan (with nmap)  your computer from another pc on the network  .


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s