- In Ubuntu, how do I figure out which process is a network pig [closed]
- 6 Answers 6
- How to list all the current network connections for a given PID?
- 4 Answers 4
- How can I monitor network I/O usage per process under Linux?
- 2 Answers 2
- reading TCP connection list from /proc
- 2 Answers 2
- List all internet connections
- 2 Answers 2
- Using netstat
- Similar to top :
- GUI Interface (just in case):
In Ubuntu, how do I figure out which process is a network pig [closed]
Using top it’s easy to identify processes that are hogging memory and cpu, but ocasionally I see my computer’s network activity spike, but I’m unable to determine which process is generating the activity. Where is the right place to look for this information?
6 Answers 6
You can also take a look at «NetHogs»: http://nethogs.sourceforge.net/. Little yet very handy utility. Especially if you want to find out which process is taking the bandwidth.
Aside of «nethogs», if you want to limit rate of any software that does not have such functionality built-in, then look at «trickle»: monkey.org/~marius/trickle.
You can install several applications to monitor network traffic in real time. NTOP, tcpdump, trafshow, iptraf.
I would go with NTOP or IPTRAF. But that’s just a personal taste.
Also, with Linux’s netstat you can use the -p flag to see how many connections is a process using.
You can also use iftop. In Ubuntu you can install it by typing in terminal: sudo aptitude install iftop . To use type: sudo iftop -i eth0 , where eth0 is your network interface.
The package ‘nmon’ provides a comparable tool to top. The design’s a bit different since the kernel doesn’t provide excellent statistics via /proc.
Description: performance monitoring tool for Linux nmon is a systems administrator, tuner, benchmark tool. It can display the CPU, memory, network, disks (mini graphs or numbers),
Description: displays bandwidth usage information on an network interface iftop does for network usage what top(1) does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth
How to list all the current network connections for a given PID?
but this does not seem to work. I need a command that will take that PID and print all the open network connections but I have no idea how. I have seen on other forms about strace but this does not make sense to me.
4 Answers 4
If you’re not root , you’ll only be able to get that for your processes.
Technically, that’s only for the internet sockets (connected or not).
If you want all established connections (or associations), internet or not (like for Unix domain sockets), you could try (at least on Linux and with lsof 4.89):
lsof -Ep "$pid" | grep -e '(ESTABLISHED)$' -e '->INO=.* '
For instance, for the process I use to write this answer, that gives:
firefox 6261 chazelas 3u unix 0xffff88026785d000 0t0 741948 type=STREAM ->INO=743009 4244,dbus-daem,58u firefox 6261 chazelas 4u unix 0xffff88017194c000 0t0 741280 type=STREAM ->INO=742999 3575,Xorg,57u firefox 6261 chazelas 6u unix 0xffff8802f544d400 0t0 743000 type=STREAM ->INO=741281 4244,dbus-daem,56u firefox 6261 chazelas 11u unix 0xffff8802f544e800 0t0 743004 type=STREAM ->INO=737278 4167,cinnamon-,21u firefox 6261 chazelas 14u unix 0xffff8801474b3c00 0t0 737279 type=STREAM ->INO=737280 6261,firefox,15u firefox 6261 chazelas 15u unix 0xffff8801474b7c00 0t0 737280 type=STREAM ->INO=737279 6261,firefox,14u firefox 6261 chazelas 34u unix 0xffff8801d0d01800 0t0 741294 type=STREAM ->INO=743006 4244,dbus-daem,57u firefox 6261 chazelas 45u IPv4 741950 0t0 TCP UNKNOWN:44232->host24-rangeA-akamai-aanp.cdn.thlon.isp.sky.com:http (ESTABLISHED) firefox 6261 chazelas 53u unix 0xffff880178356800 0t0 741947 type=STREAM ->INO=743008 3575,Xorg,56u firefox 6261 chazelas 60u IPv4 743011 0t0 TCP UNKNOWN:52760->a95-101-128-57.deploy.akamaitechnologies.com:http (ESTABLISHED) firefox 6261 chazelas 73u IPv4 742158 0t0 TCP UNKNOWN:54674->lhr35s01-in-f14.1e100.net:http (ESTABLISHED) firefox 6261 chazelas 87u IPv4 743521 0t0 TCP UNKNOWN:33564->stackoverflow.com:https (ESTABLISHED) firefox 6261 chazelas 91u IPv4 743522 0t0 TCP UNKNOWN:53940->93.184.220.29:http (ESTABLISHED) firefox 6261 chazelas 92u IPv4 742153 0t0 TCP UNKNOWN:36836->151.101.65.69:https (ESTABLISHED) firefox 6261 chazelas 94u IPv4 742154 0t0 TCP UNKNOWN:33716->192.0.73.2:https (ESTABLISHED) firefox 6261 chazelas 96u IPv4 742157 0t0 TCP UNKNOWN:51166->lhr26s04-in-f234.1e100.net:https (ESTABLISHED) firefox 6261 chazelas 113u IPv4 744875 0t0 TCP UNKNOWN:43262->lhr35s01-in-f1.1e100.net:https (ESTABLISHED)
How can I monitor network I/O usage per process under Linux?
Such known tools like iftop/iptraf display network I/O per interface and per connection. Is there a way to see network I/O statistics per process?
2 Answers 2
nethogs looks like it will do what you want.
EDIT: I needed to install ncurses-devel, libpcap and libpcap-devel to build.
@Tshepang I reviewed your edit, I kept the updated link you did but I kept the edit text, as for me it added value, like your edit too.
@yagmoth555 I mean why keep «EDIT» in the post? We have history to show what has been edited, so there is no need to mention that «text that follows is an edit».
@Tshepang Oh, Check your edit, you removed the entire line surely by error then, that why I re-edited to keep the line
To find what connections are associated with each process, use lsof. For example:
That will give you a list of connections, like this:
bash 10887 luke 3u IPv4 44638801 0t0 TCP littleyerry.example.com:55212->barista.example.com:ldap (ESTABLISHED) bash 10913 luke 3u IPv4 44638905 0t0 TCP littleyerry.example.com:55216->barista.example.com:ldap (ESTABLISHED) ssh 10935 luke 3u IPv4 44639001 0t0 TCP littleyerry.example.com:55219->barista.example.com:ldap (ESTABLISHED) ssh 10935 luke 4u IPv4 44639008 0t0 TCP littleyerry.example.com:59459->launchpad.example.com:ssh (ESTABLISHED) bash 10938 luke 3u IPv4 44639107 0t0 TCP littleyerry.example.com:55221->barista.example.com:ldap (ESTABLISHED)
From there, you should be able to find out about each connection individually using the tools you mentioned (iftop, iptraf). You could build a small script to aggregate the specific data that you’re looking for.
reading TCP connection list from /proc
I’m trying to implement code that enumerate all existing TCP connections per process (similar to netstat -lptn ). I prefer to implement it myself and not to rely on netstat . In order to do that, I’m parsing data from /proc/
2 Answers 2
There are many misunderstandings in your approach. I’ll go over them one by one.
- Sockets are not associated with a specific process. When a socket is created its reference count is 1. But through different methods such as dup2 , fork , and file descriptor passing it’s possible to create many references to the same socket causing its reference count to increase. Some of these references can be from an open file descriptor table, which itself can be used by many threads. Those threads may belong to the same thread group (PID) or different thread groups. When you use the -p flag for netstat it will enumerate the sockets accessible to each process and try to find a process for each known socket. If there are multiple candidate processes, there is no guarantee that it shows the process you are interested in.
- /proc//net/tcp does not only list sockets related to that process. It lists all TCPv4 sockets in the network namespace which that process belongs to. In the default configuration all processes on the system will belong to a single network namespace, so you’ll see the same result with any PID. This also explains why a thread/process which doesn’t use networking has contents in this file. Even if it doesn’t use networking itself it still belongs to a network namespace in which other processes may use networking.
- /proc//net/tcp contains both listening and connected sockets. When you pass -l to netstat it will show you only listening sockets. To match the output closer you’d need -a rather than -l .
- /proc//net/tcp contains only TCPv4 sockets. You need to use /proc//net/tcp6 as well to see all TCP sockets.
If you are only interested in sockets in the same namespace as your own process you don’t need to iterate through different PIDs. You can instead use /proc/net/tcp and /proc/net/tcp6 since /proc/net is a symlink to /proc/self/net .
Use /proc//fd — this lists all the open file descriptors, including sockets that the process is using. e.g.
/proc/1278482/fd: total 0 dr-xr-xr-x. 9 user user 0 Apr 22 23:30 ../ dr-x------. 2 user user 0 Apr 22 23:30 ./ lr-x------. 1 user user 64 Apr 22 23:30 4 -> pipe:[640683476] lrwx------. 1 user user 64 Apr 22 23:30 3 -> socket:[640754628] lrwx------. 1 user user 64 Apr 22 23:30 2 -> /dev/pts/10 l-wx------. 1 user user 64 Apr 22 23:30 1 -> /home/user/my_sockets.txt lrwx------. 1 user user 64 Apr 22 23:30 0 -> /dev/pts/10
You can then find the corresponding entry (e.g. 640754628) from /proc//net/tcp -> inode[6] to get all the details of the socket — e.g.
tcp: sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 1864: 0100007F:A650 0100007F:18EB 01 00000000:00000000 00:00000000 00000000 500 0 640754628 1 0000000000000000 20 4 30 10 -1
( above example is a local connection to 127.0.0.1:6379 )
List all internet connections
I’d like to know all the connections my system is making to the internet. I tried netstat but that shows a lot of connections — all of which aren’t applicable I think. Can it be displayed like top does for processes ? I’m a little security conscious and would like to know all the incoming and outgoing connections happening on my system.
2 Answers 2
Using netstat
netstat by itself monitors all major protocols including TCP and UDP on every port.
If you want to display TCP and UDP connections:
If you want to display that continously:
Similar to top :
- nethogs — shows a list of the top processes that use bandwidth
- jnettop — shows list of top connections
- iftop — shows list of top connections with bandwidth bars
GUI Interface (just in case):
You may try ss as well, it’s more advanced than netstat .
List all TCP connections (including those with non-established state, e.g. SYN-SENT , LISTEN , and TIME-WAIT ). Read more about TCP states transition in RFC793.
State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 4096 127.0.0.1:5672 0.0.0.0:* ESTAB 0 0 192.168.1.4:57310 35.157.63.229:443 ESTAB 0 0 127.0.0.1:43764 127.0.0.1:8080 CLOSE-WAIT 1 0 192.168.1.4:34554 142.250.186.33:443 CLOSE-WAIT 1 0 192.168.1.4:34564 142.250.186.33:443
Include information about the owner process of the connections (e.g., process name and PID)
Display all established SSH connections.
List all the TCP sockets in state FIN-WAIT-1 for network 193.233.7/24 and look at their timers with —options , which shows timer information.