tony_yum
05-27-2007, 08:46 AM
Hi All, I am seeing some random network traffic on my network monitoring docklet. What command would I use to see which process are using the network?
Thanx
Thanx
Click to See Complete Forum and Search --> : Checking which process is using the network
bwkaz
05-27-2007, 02:30 PM
The sane way is to use netstat. "netstat -anp" will give you the PID (-p) of any process that's using any (-a) kind of network socket, without resolving the name of the machine that it's connected to (-n). It'll also give the process name.
The crazy way is to look through the /proc/[0-9]*/fd/ directories for any symlinks whose target starts with "socket". This gives you a lot less info, though. :)
The crazy way is to look through the /proc/[0-9]*/fd/ directories for any symlinks whose target starts with "socket". This gives you a lot less info, though. :)
happybunny
05-28-2007, 12:18 AM
can't you also fuser /something/port# ?
tony_yum
05-28-2007, 06:58 AM
Thanx for the reply. Yeah I used netstat before. it shows 409 processes with a connection. But I can't tell which one is actually producing traffic.
happybunny
05-28-2007, 09:40 AM
iptraf or tcpdump might show something
bwkaz
05-28-2007, 10:29 AM
Oh, OK, that makes sense: you have lots of sockets open, but few passing data.
Yeah, I'd use tcpdump to figure out what ports the traffic is flowing into or out of (but beware: tcpdump does its packet capturing before the firewall rules go into effect, so you'll capture packets that would normally be dropped), and then check netstat to see which program is listening on (or connected to) that port.
Yeah, I'd use tcpdump to figure out what ports the traffic is flowing into or out of (but beware: tcpdump does its packet capturing before the firewall rules go into effect, so you'll capture packets that would normally be dropped), and then check netstat to see which program is listening on (or connected to) that port.
tony_yum
05-28-2007, 04:49 PM
Thank you again. I am still confused though. I used tcpdump and got a bunch of these
21:47:09.791981 arp reply jin.home is-at 00:07:e9:ae:31:6d (oui Unknown)
21:47:09.795156 arp who-has 192.168.1.67 tell api.home
21:47:09.798299 arp who-has 192.168.1.65 tell api.home
21:47:09.801338 arp who-has 192.168.1.67 tell api.home
21:47:09.804315 arp who-has 192.168.1.68 tell api.home
21:47:09.807241 arp who-has TONY.home tell api.home
21:47:09.810229 arp who-has 192.168.1.67 tell api.home
21:47:09.813209 arp who-has 192.168.1.65 tell api.home
21:47:09.815933 arp who-has 192.168.1.65 tell api.home
21:47:09.818648 arp who-has TONY.home tell api.home
21:47:39.836583 arp who-has 192.168.1.68 tell api.home
21:47:39.839652 arp who-has jin.home tell api.home
21:47:39.839661 arp reply jin.home is-at 00:07:e9:ae:31:6d (oui Unknown)
21:47:39.842891 arp who-has 192.168.1.67 tell api.home
21:47:39.845879 arp who-has 192.168.1.65 tell api.home
21:47:39.848886 arp who-has 192.168.1.67 tell api.home
21:47:39.852009 arp who-has 192.168.1.68 tell api.home
21:47:39.855856 arp who-has TONY.home tell api.home
21:47:39.859683 arp who-has 192.168.1.67 tell api.home
21:47:39.862912 arp who-has 192.168.1.65 tell api.home
21:47:39.865898 arp who-has 192.168.1.65 tell api.home
21:47:39.868899 arp who-has TONY.home tell api.home
I don't understand what it means. 192.168.1.[65|67|68] are laptop that have used the network but it is currently switched off. My resource monitor is telling me that there is roughly 80% network traffic on my computer. Confused....
21:47:09.791981 arp reply jin.home is-at 00:07:e9:ae:31:6d (oui Unknown)
21:47:09.795156 arp who-has 192.168.1.67 tell api.home
21:47:09.798299 arp who-has 192.168.1.65 tell api.home
21:47:09.801338 arp who-has 192.168.1.67 tell api.home
21:47:09.804315 arp who-has 192.168.1.68 tell api.home
21:47:09.807241 arp who-has TONY.home tell api.home
21:47:09.810229 arp who-has 192.168.1.67 tell api.home
21:47:09.813209 arp who-has 192.168.1.65 tell api.home
21:47:09.815933 arp who-has 192.168.1.65 tell api.home
21:47:09.818648 arp who-has TONY.home tell api.home
21:47:39.836583 arp who-has 192.168.1.68 tell api.home
21:47:39.839652 arp who-has jin.home tell api.home
21:47:39.839661 arp reply jin.home is-at 00:07:e9:ae:31:6d (oui Unknown)
21:47:39.842891 arp who-has 192.168.1.67 tell api.home
21:47:39.845879 arp who-has 192.168.1.65 tell api.home
21:47:39.848886 arp who-has 192.168.1.67 tell api.home
21:47:39.852009 arp who-has 192.168.1.68 tell api.home
21:47:39.855856 arp who-has TONY.home tell api.home
21:47:39.859683 arp who-has 192.168.1.67 tell api.home
21:47:39.862912 arp who-has 192.168.1.65 tell api.home
21:47:39.865898 arp who-has 192.168.1.65 tell api.home
21:47:39.868899 arp who-has TONY.home tell api.home
I don't understand what it means. 192.168.1.[65|67|68] are laptop that have used the network but it is currently switched off. My resource monitor is telling me that there is roughly 80% network traffic on my computer. Confused....
bwkaz
05-28-2007, 07:17 PM
Which machine is "api.home"? For some reason, it's constantly trying to send traffic to all the other machines, so it's sending ARP requests to get their MAC addresses. (It knows their IPs, but has to use ARP to find which MAC is associated with that IP.)
So you have some code running on api.home that's trying to ping (or otherwise send traffic to) jin, .67, .65, .67, .68, TONY, etc., etc. It may not be trying them in exactly that order, because the machines that are on will probably stay in api's ARP cache for a while, but machines that are off will never get into the cache (because api will never get an ARP response).
(ARP requests are broadcast packets, which means you'll see them on all machines on the network. (That's sort of the point. :p) They can't be directed, because the machine doesn't know where to send them. The responses are directed, though, so you'll only see them in tcpdump if you send or receive them.)
So you have some code running on api.home that's trying to ping (or otherwise send traffic to) jin, .67, .65, .67, .68, TONY, etc., etc. It may not be trying them in exactly that order, because the machines that are on will probably stay in api's ARP cache for a while, but machines that are off will never get into the cache (because api will never get an ARP response).
(ARP requests are broadcast packets, which means you'll see them on all machines on the network. (That's sort of the point. :p) They can't be directed, because the machine doesn't know where to send them. The responses are directed, though, so you'll only see them in tcpdump if you send or receive them.)
tony_yum
05-29-2007, 08:58 AM
api.home is the machine that I am using now. The one that I run tcpdump on. All other machines are not switched on. Is there a way to see which process is doing all these "ping" ?
bwkaz
05-29-2007, 06:53 PM
I don't know for sure that it's actually ping. Something on your machine is trying to send some kind of traffic to all the other machines -- but it's going to fail since your machine won't resolve their MAC addresses.
Since you can't see the real traffic (because it never gets sent), you can't find out what process has the socket open. Probably the best you can do is look closely through all the sockets in netstat's output to see if there's any process there that has a bunch of sockets open that shouldn't be. I don't see any faster way of telling what's going on. :(
Since you can't see the real traffic (because it never gets sent), you can't find out what process has the socket open. Probably the best you can do is look closely through all the sockets in netstat's output to see if there's any process there that has a bunch of sockets open that shouldn't be. I don't see any faster way of telling what's going on. :(
tony_yum
05-30-2007, 05:46 AM
I see. okay. Thank you for the help.
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.