Is there any way on Linux to get detailed analysis of network traffic to and from a process . Detailed analysis means the data as provided by tcpdump, wireshark.
How about using lsof to get further information on the process?
lsof -c $process
to see what files and network connections that are used by the process.
lsof -i | egrep 'mongod.*LISTEN'
to grep for all connections to the mongod process. From this you can see what port the process is listening on
$ lsof -i | egrep 'mongod.*LISTEN'
mongod 64223 fred 6u IPv4 0xffffff80298fec20 0t0 TCP *:27017 (LISTEN)
mongod 64223 fred 7u IPv4 0xffffff8017393500 0t0 TCP *:28017 (LISTEN)
mongod 64224 fred 9u IPv4 0xffffff8014038500 0t0 TCP *:27018 (LISTEN)
mongod 64224 fred 10u IPv4 0xffffff801746f880 0t0 TCP *:28018 (LISTEN)
......
......
......
and so then run tcpdump on that port.
HTH!
Related
We have ubuntu server installed on our desktop machine. It is connected modem with ethernet port. We can access it with ssh via inside of our network. But can not from outside.
Here is what we've done so far:
We have static ip
My professor made this i dont know what it is
Our ubuntu server machine always picks 192.168.1.200
We have port forwarding
when I run ssh maviarge#213.XXXXXXX from our LAN which holds ubuntu server machine
maviarge#213.XXXXXXX's password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-104-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 10 Mar 2022 08:45:36 AM UTC
System load: 0.07 Processes: 166
Usage of /: 2.0% of 438.13GB Users logged in: 1
Memory usage: 2% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for enp3s0: 192.168.1.200
Temperature: 50.0 C
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
But when I run ssh -v maviarge#213.XXXXXXX from outside of our wifi.
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\MaviArge/.ssh/config
debug1: Connecting to 213.XXXXXXX [213.XXXXXXX] port 22.
debug1: connect to address 213.XXXXXXX port 22: Connection timed out
ssh: connect to host 213.XXXXXXX port 22: Connection timed out
When I run ping 213.XXXXXXX from outside
Pinging 213.XXXXXXX with 32 bytes of data:
Reply from 213.XXXXXXX: bytes=32 time=67ms TTL=46
Reply from 213.XXXXXXX: bytes=32 time=97ms TTL=46
Reply from 213.XXXXXXX: bytes=32 time=107ms TTL=46
Reply from 213.XXXXXXX: bytes=32 time=124ms TTL=46
Ping statistics for 213.XXXXXXX:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 67ms, Maximum = 124ms, Average = 98ms
Saw this command on internet sudo lsof -i:22 and the output:
sudo lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 3290 root 4u IPv4 38814 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:58124 (ESTABLISHED)
sshd 3375 maviarge 4u IPv4 38814 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:58124 (ESTABLISHED)
sshd 4057 root 3u IPv4 71589 0t0 TCP *:ssh (LISTEN)
sshd 4057 root 4u IPv6 71591 0t0 TCP *:ssh (LISTEN)
sshd 5662 root 4u IPv4 74261 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:60472 (ESTABLISHED)
sshd 5746 maviarge 4u IPv4 74261 0t0 TCP maviarge:ssh->host-213.XXXXXXX.reverse.superonline.net:60472 (ESTABLISHED)
Also nmap scan:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 05:17 EST
Nmap scan report for host-213.XXXXXXX.reverse.superonline.net (213.XXXXXXX)
Host is up (0.14s latency).
Not shown: 96 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
25/tcp filtered smtp
5060/tcp filtered sip
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds
What's wrong?
have you try this
sudo ufw allow from any to any port 22 proto tcp
or
sudo ufw allow ssh
In my debian PC i had a nginx server, but i removed it completely. Now i have permanently :80 port busy.
I ran any kind of command for stop those services, but they execute again.
What can i do for set free 80 port? THX.
nginx 6593 root 6u IPv4 345904 0t0 TCP *:80 (LISTEN)
nginx 6605 systemd-network 6u IPv4 345904 0t0 TCP *:80 (LISTEN)
You should be able to simply kill the process.
kill command syntax
# kill [signal or option] PID(s)
So in your case,
kill SIGTERM 6593
You might need to be as root, so prepend with sudo as appropriate
for Linux:
fuser -k 80/tcp
or,
kill $(lsof -t -i:80)
What is the meaning of the output under the NAME tag of the lsof -i
command when it appears as such *:*
Example output:
The UDP *:* means you have processes on your system listening on all network interfaces for IPv4 UDP packets:
All IPv4 Addresses are represented by a * on the left of the colon
All ports are represented by a * on the right of the colon
You can test this by sending a batch of 5 UDP packets to one of your local addresses with netcat:
$ echo "data" | nc -w1 -u 127.0.0.1 1-5
While using lsof in repeat mode to show the UDP connection activity:
$ lsof -r1 -iUDP -P -n | grep -E "^nc"
nc 3197 root 3u IPv4 0x614d3be71aa32a89 0t0 UDP 127.0.0.1:57137->127.0.0.1:2
nc 3197 root 3u IPv4 0x614d3be71b503dc9 0t0 UDP 127.0.0.1:62455->127.0.0.1:3
nc 3197 root 3u IPv4 0x614d3be71bdbe351 0t0 UDP 127.0.0.1:52982->127.0.0.1:4
nc 3197 root 3u IPv4 0x614d3be71b6335b9 0t0 UDP 127.0.0.1:61450->127.0.0.1:5
I am setting up iptables rules on the server where nginx and php-fpm are running. I have allow both 80 and 443 ports but as I see there are also addiitonal connections to higher ports that are blocked.
Sample output of
netstat -anpn | grep -v ":80"
tcp 0 1 10.0.0.1:8109 10.1.2.24:29837 SYN_SENT 19834/nginx: worker
tcp 0 1 10.2.3.45:31890 10.0.0.1:26701 SYN_SENT 17831/nginx: worker
10.0.0.1 is server IP, others are clients.
My iptables rules:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
Can someone explain:
Why do nginx uses ports different from standard 80 and 443.
What is this additional ports range?
How to properly allow connections to nginx with iptables?
Thanks in advance!
Nginx will typically perform internal redirects when processing a request and this will establish connections on high numbered ports. I do not believe you can find this range.
Here is what I see for example:
tcp 0 0 192.168.0.126:80 0.0.0.0:* LISTEN 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62950 ESTABLISHED 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62949 ESTABLISHED 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62947 ESTABLISHED 9432/nginx: worker
unix 3 [ ] STREAM CONNECTED 29213 9432/nginx: worker
The reason your firewall rules work is because you:
Have opened the required ports that your Nginx server listeners need (i.e. 80 and 443)
You have included the following firewall rule that allows all requests to localhost (127.0.0.1) so Nginx internal redirects that open high numbered ports are not blocked:
iptables -A INPUT -i lo -j ACCEPT
So to answer your questions:
Nginx server listeners can listen to any port you like not just 80 and 443. Why it uses additional ports is for internal redirects and as such an aspect of the implementation.
I do not believe you can find this range. In fact I would doubt any code would ask the system to utilize a certain port but rather would ask the OS for a high numbered unused port.
You may not have realized it but the firewall rules you implemented should work fine.
I use PHP-FPM with Nginx as well. I block all ports except 22/80/443 in iptables and haven't experienced any issues with connectivity. I examined my own netstat and it looks identical to your output. Are you sure your iptables rules are correct? Could you post the output of sudo iptables -L
I develop on Mac (Lion) with Eclipse and GlassFish 3.1. GlassFish uses ports 8080 and 4848. Suddenly when I try to launch GlassFish it tells me it can't because there's a port conflict.
As far as I can tell, nothing is using that port. I shutdown everything and restart the Mac and still get the same error when I run GlassFish. I uninstalled GlassFish, deleted all the directories, restarted my machine, reinstalled GlassFish and same problem.
I created a new test user on my Mac, log out as me, log in as him, install GlassFish under that users account and it runs fine there.
It's like there's something in my user account that makes my Mac or GlassFish think that port is in use.
Does anyone know how I might solve this problem? I hate the idea of having to create a new account on my Mac and transfer all of my data there. Seems like an excessive solution.
Any ideas?
Rob
UPDATE: Doing a "lsof -i :8080" shows me this:
$ lsof -i :8080
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 158 stephen 8u IPv4 0xffffff8014945fa0 0t0 TCP *:http-alt (LISTEN)
launchd 158 stephen 10u IPv6 0xffffff8014941240 0t0 TCP *:http-alt (LISTEN)
printerAg 232 stephen 5u IPv4 0xffffff8014945fa0 0t0 TCP *:http-alt (LISTEN)
printerAg 232 stephen 6u IPv6 0xffffff8014941240 0t0 TCP *:http-alt (LISTEN)
I guess that means there is something on port 8080? If so, what are launchd and printerAg? And why are they running on this user account, but not on the new user account I created? Thanks!
You can also change the port of HP printers from 8080 to 18089 by the following command:
sudo sed -i "" -e "s|8080|18089|g" ~/Library/LaunchAgents/com.hp.printerAgent.plist
Then restart you system.
Check who is using the port:
lsof -i :8080 -i :4848