tcpdump option to find process initiate communication

Question

I am using the Linux command line and when I run the following command:

 tcpdump -n dst host destsitename
 tcpdump -n dst host stackoverflow.com

to see if my server as source talk to this domain, how I can find out which process doing the communication from my server as source.

My question is which option should I use in "tcpdump".

tcpdump cannot do that for you. Use `netstat` and similar tools to find which processes own which sockets. — Michael Foukarakis, Feb 26 '14 at 10:48

score 2 · Answer 1 · answered Feb 09 '21 at 16:54

On linux you can also use the ss command (which replaces the deprecated netstat command):

$ ss -p dst stackoverflow.com
Netid                State                Recv-Q                Send-Q                                 Local Address:Port                                   Peer Address:Port                 Process
tcp                  ESTAB                0                     0                                        192.168.2.5:50676                                 151.101.65.69:https                 users:(("firefox",pid=4657,fd=251))

score 1 · Answer 2 · answered Feb 26 '14 at 10:51

1

Run netstat -avnp and fetch the <pid> (the last column)
Run ps -ef | fgrep <pid> and see what that <pid> belongs to

answered Feb 26 '14 at 10:51

bobah

18,364
2
37
70

1

when i do tcpdupm i got 14:46:36.702758 IP 10.64.13.205.50356 > 64.15.129.80.80: Flags [S], seq 1677599293, win 29200, options [mss 1460,sackOK,TS val 4013456 ecr 0,nop,wscale 7], length 0 But how to use netstat if i dont know the process name even ? btw all traffic gose to 64.15.129.80.80: – LeoSam Feb 26 '14 at 11:05
netstat will give you all connections on the server and respective `pid`s, you can `|grep` the address/port of interest – bobah Feb 26 '14 at 11:32

score 1 · Answer 3 · answered Aug 20 '15 at 21:43

1

If you know the port, you can try:

lsof -i :1234

The benefits of using lsof instead of netstat is that the -p is not supported on Unix/OS X.

answered Aug 20 '15 at 21:43

kenorb

155,785
88
678
743

score 0 · Answer 4 · answered Aug 10 '18 at 08:43

Use lsof and grep by site name:

$: lsof -i |grep mapscii.me
$: telnet    16678 zersh    3u  IPv4 1789302  0t0  TCP 192.168.21.180:43148->mapscii.me:telnet (ESTABLISHED)

or netstat:

$ netstat anlpt |grep mapscii.me
tcp        0      0 192.168.21.180:43168    mapscii.me:telnet       ESTABLISHED

Alex Tuner · Answer 5 · 2019-08-02T18:15:33.590

Try use next script:

LOCAL_IP="src_ip"
TARGET_IP="..."

while read x; do

  port=$( echo $x | grep "IP ${LOCAL_IP}" | awk '{print $3}' | sed "s/${LOCAL_IP}.//" )

  if [ ! -z ${port} ]; then
    lsof -Pni :${port}
  fi

done <<< "$( tcpdump -nn -c1 host ${TARGET_IP} )"

PS. In my case it only worked in the background. Hung in processes for more than 10 hours looking for the source of the problem:

while read x; do port=$(echo $x | grep "IP ${LOCAL_IP}" | awk '{print $3}' | sed "s/${LOCAL_IP}.//"); if [ ! -z ${port} ]; then lsof -Pni :${port}; fi; done <<< "$( tcpdump -nn -c2 host ${TARGET_IP} )" >> /tmp/result &

tcpdump option to find process initiate communication

5 Answers5