Network usage of a process in linux - linux

I would like to record the total number of bytes transferred over the network by different versions of VNC. My plan is to start the VNC viewer, run a script remotely that performs some actions and displays some graphics and then disconnects.
How can you record the total network usage of just this one process in linux? I don't want to measure anything else that is happening on the system.

You could run the different versions of the VNC viewers on different port numbers and then record all traffic to those ports with a tool such as tcpdump.
There may be some way of recording traffic per process but doing it by port is much more obvious and simple
crude example using perl to add up/filter
sudo tcpdump -li eth1 ' port 5900'|perl -ne 'print $c,"\n"; $c+=$1 if (/length (\d+)/);'

You should try iftop Linux command.
$ sudo iftop -i eth0 -P
server.example.com:ssh => client.example.com:51365 1.73kb 2.72kb 2.72kb
More elegant way using filters:
$sudo iftop -i eth0 -f "dst port 22"

Related

What are the differences between lsof and netstat on linux?

I encounted a problem today:
When I started HDP docker container, an error occured:
listen tcp 0.0.0.0:8086: bind: address already in use
According to error message, I know that port 8086 was already in use, so I tried some commands to determine which program was using port 8086.
lsof -i:8086
lsof -i tcp:8086
lsof | grep 8086
But all of commands above make no outputs!
I felt really confused about that, after some searching on google, I tried another command:
netstat -pna | grep 8086
I got correct output from this command.
I know some differences between lsof and netstat, but I really do not know why I cannot get any output from lsof -i:8086?.
Here are some differences between two commands I searched from google:
netstat(net statistic) is connection based,it shows NW connections (udp/tcp ports), routing tables, interface, multi-cast membership, etc.
lsof(list of open files) is application based, this is kind of like netstat + ps, there you can see all accessed ports, NW connections, etc.
but lsof includes stuff like my local emacs window terminal session (tty dev/pts/n) which is not part of netstat
I faced a similar issue today. The solution was to run the lsof command with sudo privileges.
sudo lsof -i:8086
should print the desired output.
LSOF: List of Open Files. It lists all the open files belonging to all active processes.
Examples:
sudo lsof -n -i
sudo lsof -n -i4
sudo lsof -n -i :80
-n inhibits the conversion of network numbers to host names for network files. Inhibiting conversion may make lsof run faster. It is also useful when host
lookup is not working properly
-i selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files. If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed.
NETSTAT: It is a tool to get the network statistics. By default, netstat displays a list of open sockets. If you don't specify any
address families, then the active sockets of all configured address
families will be printed.
Displays the kernel routing tables:
netstat -r
Display all listening and established connection for both TCP and UDP with PID data:
netstat -plunt
Additionally, You have another command line tool to use which is SS.
SS: It is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state
information than other tools.
-plunt gives data for the TCP and UDP connections which are established and listening with process information:
sudo ss -plunt
You should be root to get proper answers to your lsof questions. Your command is fine, assuming something really is listening on that port.
As you already mentioned, lsof is a very useful command which is used to list files opened by a specific process, while netstat is a tool for monitoring network connections.
You should be able to find the PID of the process listening on port 8086 with netstat:
netstat -tunlp |grep :8086
and then use lsof to list the files used by the process:
lsof -p PID

auditing opened/closed ports on Linux

Is there an auditing tool to check which and when ports are opened and closed on Linux?
My goal is to run my application and check its ports usage.
lsof or netstat don't fit because they just tell me which ports are currently opened, and looping on such command won't give me accurate results...
strace -f -e trace=bind mvn install
strace will displays the bind sytem call each time my application an the children processes open a port.

Writing a linux script for tcpdump for stopping and running again but save the info in another file

I am new to writing script and not sure whether I am correct in writing such script for tcpdump to collect pcap info.
tcpdump -s 0 port ftp or ssh or http or https -i eth0 -w mycap.pcap
#run the tcpdump and store all the info in mycap.pcap
sudo kill -2 #for exit purpose
This enables me to run tcpdump which is good, however, I wish to stop this (due to the space for mycap.pcap meet the max capacity of 3GB per file) automatically via the same script and run again but this time round, I will store it in another file (eg. mycap1.pcap)
Then the cycle goes again until I stop the process by pressing crtl+c
Can this be done?
You don't need to write a script for that.
tcpdump -C <filesize> -s 0 port ftp or ssh or http or https -i eth0 -w mycap.pcap
Have a look at the man-page for tcpdump.

How can I find available but unoccupied ports on a Linux box?

Specifically RHEL 6.5
It's a Dev box and we have certain port ranges we are permitted for development use.
...unfortunately, getting a tech's attention to find out what ports are available is like pulling teeth. Would prefer a script or alias that does this so that we don't have to ask all the time. Clues? Is this an iptables command or is it a netstat command or some weird combo? nmap is not available on this machine.
Please don't say this is a Server Fault question. They say it's a programming question. :-|
Definitely a SF question but here we go. From the dev box itself (command line) you should be able to see what ports are in use with the netstat tool.
To see the list of listening ports both UDP and TCP, complete with the program names:
# preferably as root
netstat --listening --program --numeric-ports --protocol=ip -6 -4
From another machine, you can use nmap or a similar tool to see what ports are open/listening by scanning the IP address assigned to the dev box. Before trying this, maybe you should ask for permission. Also, you should consider that the box in question might have firewall rules in place that can thwart your scanning attempts.
To see what firewall rules are in place in the dev box try:
# as root
iptables -nvxL -t filter
# maybe there are NAT rules, redirects to other addresses, etc.
iptables -nvxL -t nat
To see what these iptables options do, try man iptables.
As an example, assuming 172.16.0.1 is the IP address assigned to the dev box, to run nmap in the simplest way possible:
# preferably as root
nmap -v 172.16.0.1
In a few minutes you should see a list of ports/services listening in that relevant box.
Try man nmap and read the documentation for more details.
If you really think this is a programming issue, you can use the netcat tool and program a simple script to do something roughly equivalent to what nmap does.
#!/bin/bash
#
# DISCLAIMER: NOT TESTED -- just an example
# NOTE: This will take many DAYS to complete
HOST=172.16.0.1
for port in `seq 1 65535`
do
echo "Trying ${port}..."
netcat -vvv ${HOST} $port -w 1 -z
done
For every open TCP port you should see a line similar to this:
Connection to 172.16.0.1 23 port [tcp/telnet] succeeded!

Linux; How do I find logs if a program I'm running uses certain ports?

I am running CentOS 5 with csf firewall. I'm running a program that can't connect to another server (using some port that is blocked by csf I presume). Where is the log file for 'ports'?
Netstat is the command to use to get ports and network activity. To diagonise server processes I usually use:
netstat -tln
This yields port numbers in tcp mode listening. To identify associated processes you can also use -p to grab the pid. Here is the IANA ports list.
I found my answer right after searching a few more threads.
# tail -f /var/log/messages
Shows the UDP message but not the port.... Hmm....

Resources