Hello I want to achieve as much security as I can on my Ubuntu machine so I want to check for suspicius connections.Any idea how to monitor network traffic on my pc? incoming and outgoing both.I also tried netstat -t -u -c and tcpdump but I want to learn if I can use a more effective tool.Thanks!
72 Answers
There are a lot of tools and different ways to do this. a lot of utilities like: wireshark, netstat, nmap, iptraf, ss, or even lsof. different firewalls, audit and monitoring tools can help you to achieve this purpose.
It's basically up to you what you want to achieve, what process, or kind of traffic want to monitor etc.
wireshark
To install:
sudo apt-get install wiresharkThen it will ask you if you want to be able to use wireshark as a normal user, say yes and add yourself to wireshark group:
sudo gpasswd -a username wiresharklogout and login, you are ready to use wireshark. just run it select your desired interface ex: enp0s3 and click on start capturing, you can also do a double click on interface name. now you are able to see all the traffic going out/in throughout that interface.
You can apply filter for specific traffic type.
there are a lot of ways to apply filters, e.g: type in: http press enter. now you will see all http traffics. or ip.src == 1.2.3.4 to specify source, or ip.dst for destination. You also have access to expression builder, for creating complex expression to filter out your desired traffic type.
Iptables logging
You can turn on logging in iptables:
sudo iptables -A INPUT -j LOG
sudo iptables -A OUPUT -j LOGThen using diffrent log managers you can watch what's going on, remember that it's going to create really huge log files, because it's going to log everything!
The better solution is to only log specific traffic which you are concern about, ex:
sudo iptables -A INPUT -p udp --dport 53 -j LOGWhich logs incoming packets using TCP protocol at port 53.
netstat
You can do alot with this tool, if you want to see which ports are listening on:
netstat -tulnp-t: tcp, -u: udp, -n: use number instead of names, -l: listening, -p: to know what process is listening on these ports.
Add the grep to to magical stuff with netstat.
sudo netstat -ul | grep 53ss
ss is similar to netstat with a lot of cool options. if I want to list TCP connections from my network 192.168.1.0/24 to 151.101.1.69 (which is askubuntu IP), with destination port of 80 or 443, I can run:
ss -nt '( dport = :80 or dport = :443 )' src 192.168.1.0/24 dst 151.101.1.69or I can see what connection has been made by python process:
ss -ap | grep pythonnmap
with nmap I can scan a computer or network, scanning my own interface from port 80 to 800 (for open ports):
nmap 192.168.0.1 -p 80-800Let's say my 80 port was open, I can use -sV switch to find out which service with what version is running at that port:
$ nmap 192.168.1.1 -p 80 -sV
PORT STATE SERVICE VERSION
80/tcp open http Apache2Since netstat and wireshark are already mentioned.
A nice starting point before you use these, can be the lsof (list open files) command, it has an -i flag that without an argument lists all internet network files.
-i (list internet network files) -P (inhibit port numbers) -n (no conversion of network numbers)
as in
lsof -i -P -nNow that's probably a long list, and there are a lot of duplicates. But you can trim this down
$ lsof -i -P -n | cut -f 1 -d " " | tail -n +2 | sort | uniq
chrome
dropbox
firefox
python
thunderbi
vimWhile this doesn't give you much info, it's a quick overview, and if something interests you, you can investigate it further from there.
Keep in mind there can be false positives here, in my case that would be vim and python, which are caused by ycmd, a vim plugin i use that runs as a local server process.
For example, if i did not know this i could check
$ ps ax | grep python To see all the processes, and grab a port there and check netstat.
$ netstat -p | grep 51635
tcp 1 0 localhost:41792 localhost:51635 CLOSE_WAIT 27413/vimAnd, as mentioned this is a loopback route from ycmd, so, not actually going outside my machine. But now i know.
0
