what network monitor will display which applications are using which connections?

Rick Stevens ricks at nerd.com
Fri Feb 19 18:59:21 UTC 2010 

On 02/19/2010 07:59 AM, Wendell Nichols wrote:
> Rick Stevens wrote:
>> On 02/18/2010 03:01 PM, Patrick O'Callaghan wrote:
>>
>>> On Thu, 2010-02-18 at 13:47 -0800, Rick Stevens wrote:
>>>
>>>> On 02/18/2010 09:52 AM, Wendell Nichols wrote:
>>>>
>>>>> I would like to monitor network connections on my servers.  Users run
>>>>> all sorts of stuff and I want to know when some chat client starts
>>>>> shipping data to a system in china etc.
>>>>>
>>>> Snort is probably the best (and complicated) network sniffer out
>>>> there.  It can do some serious analysis.  It also eats up CPU cycles
>>>> like crazy.  You've been warned.
>>>>
>>> Other things to look at: ntop and wireshark (not for the faint of
>>> heart).
>>>
>>
>> Wireshark, of course, being the GUI side of tcpdump.  But you knew that!
> Thankyou for your input.  I've looked at all these things and a few
> more.  One of the more interesting tools is etherape (available at your
> friendly neighbourhood fedora repo site).  It gives you a nice picture
> of what machines on your lan are connected to what machines both off and
> on your lan.  The thing it doesn't tell me is what app is responsible
> for the connection and where the end point is.  There is also no
> logging.  I have snort on my firewall and I'll look more closely at it
> before I move on.
> I'm mostly concerned with apps on windows machines on my local lan
> having connections to machines which are not expected.  You read nearly
> every week about some social networking game or app (tomtom skype?)
> which funnels the chat content to either a foreign government or an
> organization collecting identities for fraud purposes.  I'm interested
> in tools which might plug those holes... but perhaps they don't exist or
> are out of the reach of the "little guy" :)
> Thanks again for your thoughts..

snort isn't that hard to set up using its default rules.  The trick is
in tweaking them to analyze what's going on.

Remember, even at the firewall all you have available to you is IP
addresses and ports involved.  You have no visibility as to what
application on any given machine is opening those connections unless
you're on the machine involved and doing something like

	lsof -i :portnumber-of-interest

while the connection is being made or is open (I don't know if there
is an equivalent application under Windows).  With iptables, you can,
of course, log all outgoing packets with the SYN bit set (your machine
trying to open a TCP connection):

	iptables -A OUTPUT -p tcp -m tcp --tcp-flags SYN SYN -j LOG

but again, you don't know which application was doing that.

If you're intensely paranoid, put rules on your firewall that block
all outgoing packets to anything other than well-known ports that you
are fairly sure you'll use.  If someone whines that they can't do
something, sort out what it is, verify the IPs and ports involved and
put a "hole" in your firewall to allow access for that port to that
specific destination IP.  Do this VERY reluctantly...a firewall that
resembles swiss cheese is no longer a firewall.

Network security and security analysis are pretty complex beasts, which
is why good consultants in those areas can make some serious money.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-  What's small, yellow and very, VERY dangerous?  The root canary!  -
----------------------------------------------------------------------

More information about the users mailing list