OS is Debian. I'm running nginx as a webserver. I am not running Wordpress. Logging is enabled in the http block with: access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; Seeing hundreds of connections in iftop from my webserver at port 443 to 191-242.x.x.alivenet.com.br, for a few hundred different ips. The strange things are: * None of the ip addresses listed by iftop show up in my nginx logs, which I have been retaining since server creation. * These connections show up in iftop even if nginx isn't running. How is that possible? I tried stopping nginx, then confirmed with netstat that nothing is listening on ports 80 or 443, but I still see hundreds of these connections listed in iftop. How can iftop show these connections if nothing is listening on those ports? I even tried disabling nginx and then rebooting my server, but they still show up. * lsof -a -i4 -i6 -itcp doesn't show any of these connections somehow. * In nethogs, I see a line: ? root :443-191.242.x.x:. Running as root? Question mark for the pid? This seems absolutely crazy to me. Does this mean there is some process running on my system that somehow isn't assigned a pid, running as root, somehow listening on port 443 despite nginx supposedly currently using that port, that's sending traffic to one of these Brazilian ips? What exactly is going on here? Do I need to be concerned? Has my server been hacked? What else should I check to confirm the server is ok? Do I need to block these ips via iptables? How do I separate hack attempts from legitimate web server traffic? (ie, someone in Brazil is trying to visit my website) How can nethogs not show a pid? How can iftop show connetions on ports that aren't listening? How can these connections not show up in the nginx logs?

How I can print the list of IP addresses from iftop output sorted by bandwidth usage?

I want to monitor the network traffic and save the results to a file under Debian Linux. I am using iftop to achieve this. Following command does the job: iftop -tnNBP -s 3600 -o destination > output.txt 2>&1 My problem is: if more than 10 connections are present during the monitoring time (1 hour), only the first 10 is saved to the output.txt file. The rest of the connections are not shown. How can I configure the iftop to display all of the connection (regardless how much they are/were).

I would like to capture the bandwidth usage to and from one specific remote machine across time on my system. iftop command is definitely one option, which gives the network usage, and has filtering , but I need to parse the text output to get the incoming bandwidth usage and outgoing bandwidth usage. sudo iftop -t -s 2 -f "src host " My current plan is to run the above command in a loop, parse the text output each time and append to a csv file (current_time, transmitted, received). Is there a better alternative ?

I'm analyzing the network traffic with iftop an I'm puzzled by this output: 188.25.15.139:11596 => 104.31.112.90:8880 130KB 32KB 19KB <= 162KB 51KB 30KB My ip is 188.25.15.139. The traffic from 104.31.112.90:8880 I would explain as packets sent to me - those could be as much as the other wants to send (is my explanation correct?) My problem is with the traffic from me (188.25.15.139:11596); I have UFW which blocks 11596 (also 8880 if that matters) so I see no reason to have such a large traffic "from me" on port 11596. Also I have no process listening on 11596 or 8880; I checked this with: sudo ss -lptn 'sport = :11596' sudo ss -lptn 'sport = :8880' Main question: how could one explain the traffic "from me"? lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.4 LTS Release: 16.04 Codename: xenial uname -a Linux gigi-desktop 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux **EDIT** iftop -f "not dst port 443 and not src port 443 and not dst port 80 and not src port 80 and not dst port 53 and not src port 53 and not dst port 123 and not src port 123" sudo ufw status numbered Status: active To Action From -- ------ ---- 22 LIMIT IN Anywhere 80 ALLOW IN Anywhere 443 ALLOW IN Anywhere

Slowly muddling my way through learning how to manipulate variables for a bash script I'm writing. I'm trying to use AWK (tried Grep but not granular enough I don't think) to pull the source and dest from iftop. The base iftop command I'm using is: sudo iftop -t -L1 -s1 -f "dst host 10.0.0" I can switch the dst to src to get the reverse. So the sample output from the command above is: interface: eth0 IP address is: 10.0.0.104 MAC address is: b8:27:eb:6a:26:84 Listening on eth0 # Host name (port/service if enabled) last 2s last 10s last 40s cumulative -------------------------------------------------------------------------------------------- 1 10.0.0.255 => 0b 0b 0b 0B 10.0.0.15 /dev/null | awk '/^ 1 / {print $2}' That gives me the first IP or domain, but I now need the 2nd line down. I tried using something like: sudo iftop -t -L1 -s1 -f "dst host 10.0.0" 2> /dev/null | awk '/^ 1 /{c=2} c&&c-- {print $2}' This almost works, but because of the white spacing on the 2nd line, AWK counts what is column 2 in the first line as column 1 in the second, so the output I get is: 10.0.0.255 <= I feel like I'm close but I can't work out how to use a single AWK command to spit out the right two numbers. I can't easily run a second pattern compare for the 2nd number as the white space before the IP or domain isn't enough to go on I don't think, so ideally I want to match on the first, then move to the next line but choose column 1 rather than column 2. I also want to avoid running a second iftop command as the results may be different to the first. I then need to know how to convert those to variables for a bash script rather than print them to screen. Any ideas?

I wanted to monitor my server network send and receive rate using iftop. This is what works for me: iftop -t -s 1 -n -N | grep 'Total send and receive rate: ' | awk '{print $8}' Mac address and Ips are included in the result, something like this: interface: eth0 IP address is: 192.254.78.90 MAC address is: 00:26:9e:b5:81:de 14.7Mb I only need the last line. So I created a script: iftop -t -s 1 -n -N >> result.txt cat result.txt | grep 'Total send and receive rate: ' | awk '{print $8}' When I use this in command line it works fine and give me only the last line which is "14.7Mb" while using it as a .sh script still includes the MAC address and Ip. Any idea how can resolve? I think there should be a better solution using sed ?

My Ubuntu server had recently problems with a bruteforce attack. So I installed fail2ban and I think the problem is gone. But when I check iftop I see a Chinese IP permanently connecting. iftop 12.5Kb 25.0Kb 37.5Kb 50.0Kb 62.5Kb mqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqq Ubuntu-1510-wily-64-minim => 218.201.37.134 4.22Kb 4.12Kb 4.13Kb 194.97.114.3:2010 ts3server 898 root 39u IPv4 17862 0t0 UDP *:9987 ts3server 898 root 40u IPv6 17863 0t0 UDP *:9987 ts3server 898 root 45u IPv4 17867 0t0 TCP *:10011 (LISTEN) ts3server 898 root 46u IPv6 17868 0t0 TCP *:10011 (LISTEN) java 1050 root 46u IPv6 20495 0t0 TCP *:25565 (LISTEN) sshd 1220 root 3u IPv4 21663 0t0 TCP *:1022 (LISTEN) sshd 1220 root 4u IPv6 21665 0t0 TCP *:1022 (LISTEN) sshd 4347 root 3u IPv4 55148 0t0 TCP myip:ssh->mysship:50031 (ESTABLISHED) There are no logins (checked via last) that are not from me.

I have an applet which reads /proc/net/dev and displays network up/download speed. A few days back it started showing weird things. Like, even when I'm not on the internet, the download speed stays around 52-54 kbps, while normally it tends to stay below 10 kbps. Sometimes it keeps jumping between 10kbps to 400kbps(when the system is idle). I checked the file and it was indeed showing unusual behaviour. The applet is all fine. iftop shows traffic as I expected it to be. What could be the reason? I guess the dev file provides a more basic interface to the hardware. So can it be the case that my pc is under some sort of attack?

I'm aware that iftop monitors the network traffic on the current host, but is there a program that monitors the network traffic to a specified directory on the filesystem?

I installed iftop on my Linux Mint Rafaela Cinnamon. It frustrates me how iftop does not give an option to scroll down to see more network activity, limiting me to very little activity to be able to view. How can I see the rest of the network activity?

When I run iftop -P to see what is coming to/from my interface, I constantly see connections to Amazon, HTTPS protocol: => ec2-176-34-135-167.eu-west-1.compute.amazonaws.com:https ec2-52-22-162-249.compute-1.amazonaws.com:https 216.58.209.78:443 (ESTABLISHED) iceweasel 8596 user 47u IPv4 90186 0t0 TCP 192.168.0.15:51544->52.25.142.225:443 (ESTABLISHED) iceweasel 8596 user 53u IPv4 86275 0t0 TCP 192.168.0.15:42090->52.32.59.229:443 (ESTABLISHED) iceweasel 8596 user 55u IPv4 90184 0t0 TCP 192.168.0.15:50570->52.11.148.42:443 (ESTABLISHED) iceweasel 8596 user 56u IPv4 87223 0t0 TCP 192.168.0.15:44370->54.187.136.191:443 (ESTABLISHED) Hmm, there is Google too, maybe those are search engines updates? NO. I disabled search engines autoupdates and restarted the browser. I also disabled Firefox (Iceweasel) Sync service, didn't help (I thought that maybe they store my data in Amazon cloud).

I set up a bunch of quality of service rules in OpenWRT, which then are translated to iptables rules. For debugging purposes, I'd love to see how the different connections are binned into, which would be very helpful at understanding my traffic and whether the rules match as expected. iftop might be able to solve the issue with it's filter rules, but I'm unsure how to match the QoS bins using tcpdump filters. The AVM fritz!box user interface has a pretty decent, visualization of traffic binned by QoS levels (picture credits go to [Brandon Davis](http://brendon.davis.to/2012/04/07/fritzbox-qos/)) : Is it possible to either get a similar diagram using the OpenWRT luci interface or the command line? Filtering iftop or bmon would be totally fine, too.