Arch Linux

tesjo

Member

Registered: 2007-11-30

Posts: 164

[Solved] Which process is accessing network

Hello,

I have noticed through conky and then by checking netstat -s I am constantly receiveing about 1K/s with no up traffic. I have not been able to identify this. I have tried lsof |grep IP and find nothing ( except when expected, ie firefox). I have eliminated some things such as mounted network drives, and CUPS. So how can I find out what is going on?

If it is helpful I am running i686, using dhcp, and my DAEMONS=(syslog-ng network netfs crond hal cups)

Thanks

Last edited by tesjo (2010-11-04 19:59:15)

skunktrader

Member

From: Brisbane, Australia

Registered: 2010-02-14

Posts: 1,547

Re: [Solved] Which process is accessing network

netstat -t -p

should tell you which programs are connected to which socket

tesjo

Member

Registered: 2007-11-30

Posts: 164

Re: [Solved] Which process is accessing network

netstat -t -p

should tell you which programs are connected to which socket

Nothing shows connected after unmounting my network drives, but still seeing data received.

toxygen

Member

Registered: 2008-08-22

Posts: 713

Re: [Solved] Which process is accessing network

when i'm feeling paranoid i go overboard and use
netstat -aeoucptw

that should tell you all connections in or out.  what programs do you have open? if you have mail box checkers they could be staying connected (IMAP).  there's also services like openntpd that maintain an open connection.

---

"I know what you're thinking, 'cause right now I'm thinking the same thing. Actually, I've been thinking it ever since I got here:
Why oh why didn't I take the BLUE pill?"

tesjo

Member

Registered: 2007-11-30

Posts: 164

Re: [Solved] Which process is accessing network

Thanks for the netstat command, it still shows nothing connnected (once I close web apps and stop cups).

IPtraf shows the transmitted data as follows:
│ UDP (202 bytes) from 10.244.31.104:138 to 10.244.31.255:138 on eth0          │
│ UDP (78 bytes) from 10.244.31.104:137 to 10.244.31.255:137 on eth0           │
│ UDP (78 bytes) from 10.244.28.134:55456 to 10.244.31.255:137 on eth0         │
│ UDP (78 bytes) from 10.244.28.37:137 to 10.244.31.255:137 on eth0            │
│ UDP (78 bytes) from 10.244.28.134:55456 to 10.244.31.255:137 on eth0         │
│ UDP (78 bytes) from 10.244.31.104:137 to 10.244.31.255:137 on eth0           │
│ UDP (284 bytes) from 10.244.28.37:4123 to 10.244.31.255:53271 on eth0        │
│ UDP (78 bytes) from 10.244.28.37:137 to 10.244.31.255:137 on eth0            │
│ UDP (221 bytes) from 10.244.31.196:138 to 10.244.31.255:138 on eth0          │

I realize these are computers and their ports on the network. But I dont know if it is normal to see this as received data.

diegonc

Member

Registered: 2008-12-13

Posts: 42

Re: [Solved] Which process is accessing network

$ grep " 13[78]\/udp" /etc/services
netbios-ns      137/udp    # NETBIOS Name Service   
netbios-dgm     138/udp    # NETBIOS Datagram Service

NETBIOS broadcasts apparently. Try looking for udp sockets on that ports:

netstat -aupn | grep ":13[78]"

tesjo

Member

Registered: 2007-11-30

Posts: 164

Re: [Solved] Which process is accessing network

Again netstat shows no results that I can find except for netstat -s, running immediatly after itself you can see the increase in received packets.

[root@myhost travis]# netstat -tp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
[root@myhost travis]# netstat -aupn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
[root@myhost travis]# date;netstat -s
Thu Nov  4 15:36:28 EDT 2010
Ip:
    98108 total packets received
    4583 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    93525 incoming packets delivered
    17147 requests sent out
Icmp:
    0 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
    0 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
Tcp:
    811 active connections openings
    0 passive connection openings
    4 failed connection attempts
    47 connection resets received
    0 connections established
    15881 segments received
    15761 segments send out
    11 segments retransmited
    0 bad segments received.
    108 resets sent
Udp:
    4556 packets received
    0 packets to unknown port received.
    0 packet receive errors
    1597 packets sent
    RcvbufErrors: 0
    SndbufErrors: 0
UdpLite:
    InDatagrams: 0
    NoPorts: 0
    InErrors: 0
    OutDatagrams: 0
    RcvbufErrors: 0
    SndbufErrors: 0
error parsing /proc/net/snmp: Success
[root@myhost travis]# date;netstat -s
Thu Nov  4 15:36:34 EDT 2010
Ip:
    98139 total packets received
    4586 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    93553 incoming packets delivered
    17147 requests sent out
Icmp:
    0 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
    0 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
Tcp:
    811 active connections openings
    0 passive connection openings
    4 failed connection attempts
    47 connection resets received
    0 connections established
    15881 segments received
    15761 segments send out
    11 segments retransmited
    0 bad segments received.
    108 resets sent
Udp:
    4556 packets received
    0 packets to unknown port received.
    0 packet receive errors
    1597 packets sent
    RcvbufErrors: 0
    SndbufErrors: 0
UdpLite:
    InDatagrams: 0
    NoPorts: 0
    InErrors: 0
    OutDatagrams: 0
    RcvbufErrors: 0
    SndbufErrors: 0
error parsing /proc/net/snmp: Success
[root@myhost travis]# 

skunktrader

Member

From: Brisbane, Australia

Registered: 2010-02-14

Posts: 1,547

Re: [Solved] Which process is accessing network

Is there a windows machine on your network?  It looks like a windows machine is broadcasting messages looking for other windows machines

tesjo

Member

Registered: 2007-11-30

Posts: 164

Re: [Solved] Which process is accessing network

Yes there are. So is it normal that I am receiving those messages?

EDIT: It seems so. Thanks all for your help.

Last edited by tesjo (2010-11-04 19:55:27)

hexanol

Member

From: Canaduh

Registered: 2009-08-04

Posts: 95

Re: [Solved] Which process is accessing network

Ok, so this thread has been tagged as solved, but you could have used tcpdump/wireshark if you wanted to see any kind of network activity on your interface card. Something like 'tcpdump -i eth0 -n'.