Monitor current network traffic on Debian

Monitor current network traffic on Debian

We can also use the SSH terminal to display the number of network connections to specific IP addresses. The following code queries the number of established connections every second and displays them.

while true; do netstat -ant | egrep ':.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c; sleep 1; done

Of course, this can also be restricted further, e.g. to ports 80 and 443 to only display traffic for http and https:

while true; do netstat -ant | egrep '(:80|:443) .*:.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c; sleep 1; done

Netstat can only display TCP and UDP traffic. ICMP traffic is not displayed by netstat.

To log all the fun and exclude IPs we can use

while true; do netstat -ant | egrep ':.*ESTABLISHED' | grep -v -e '127.0.0.1' -e '127.0.0.2' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c >> /root/ip.log; sleep 1; done

use.

To monitor the HTTP traffic live, you can use e.g.

sudo tcpdump -i eth0 -s 0 -A 'tcp dst port 80 or tcp dst port 443 and not host 1.1.1.1'

Leave a Reply

Your email address will not be published. Required fields are marked *