Friday, April 1, 2016

A poor mans software network sniffer for *niX - lsof / TCP

Substitute the _PID_ with your process id that you would like to monitor. 
$(while (true) do sleep 15; /usr/sbin/lsof -p $_PID_ | grep TCP > /tmp/`date +%s`.log ;done ;) &
Result after a while 

[user@pje24062 tmp]$ grep 'squid' *.log
grep: akf: Permission denied
1459530489.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530489.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530504.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530504.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530520.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530520.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530535.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530535.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530550.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530550.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530565.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530565.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530580.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530580.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530595.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530595.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530610.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530610.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530625.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530625.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530640.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530640.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530655.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530655.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530670.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530670.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530685.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530685.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530700.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530700.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
1459530715.log:java    11363 gimsown   57u  IPv6           96397107      0t0      TCP pje24062.mycompany.com:54179->east.mycompany.com:squid (CLOSE_WAIT)
1459530715.log:java    11363 gimsown   58u  IPv6           96604834      0t0      TCP pje24062.mycompany.com:36237->192.189.187.100:squid (ESTABLISHED)
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)