I just played a little bit with tcpdump (as I wanted to check why my mails are not getting send) and thereby discovered very strange and a lot of traffic to the "Private IPs". Please See examples below:
05:11:23.639588 IP my.host.com.52822 > 192.168.114.56.www: S 4065505263:4065505263(0) win 5840 <mss 1460,sackOK,timestamp 52563525 0,nop,wscale 6>
05:11:23.639596 IP my.host.com.34872 > 192.168.110.57.https: S 4069841766:4069841766(0) win 5840 <mss 1460,sackOK,timestamp 52563525 0,nop,wscale 6>
05:11:26.087579 IP my.host.com.54247 > 192.168.114.56.81: S 4114834713:4114834713(0) win 5840 <mss 1460,sackOK,timestamp 52564137 0,nop,wscale 6>
05:11:26.087616 IP my.host.com.52828 > 192.168.114.56.www: S 4101565810:4101565810(0) win 5840 <mss 1460,sackOK,timestamp 52564137 0,nop,wscale 6>
05:11:26.727550 IP my.host.com.33281 > 192.168.110.56.https: S 4113254904:4113254904(0) win 5840 <mss 1460,sackOK,timestamp 52564297 0,nop,wscale 6>
05:11:26.727584 IP my.host.com.47730 > 192.168.114.57.www: S 4122721122:4122721122(0) win 5840 <mss 1460,sackOK,timestamp 52564297 0,nop,wscale 6>
05:11:27.647584 IP my.host.com.54252 > 192.168.114.56.81: S 4131156777:4131156777(0) win 5840 <mss 1460,sackOK,timestamp 52564527 0,nop,wscale 6>
05:11:27.647618 IP my.host.com.52833 > 192.168.114.56.www: S 4133704551:4133704551(0) win 5840 <mss 1460,sackOK,timestamp 52564527 0,nop,wscale 6>
05:11:27.647627 IP my.host.com.54254 > 192.168.114.56.81: S 4123314210:4123314210(0) win 5840 <mss 1460,sackOK,timestamp 52564527 0,nop,wscale 6>
05:11:27.647634 IP my.host.com.52835 > 192.168.114.56.www: S 4132548700:4132548700(0) win 5840 <mss 1460,sackOK,timestamp 52564527 0,nop,wscale 6>
05:11:27.647642 IP my.host.com.34885 > 192.168.110.57.https: S 4137809804:4137809804(0) win 5840 <mss 1460,sackOK,timestamp 52564527 0,nop,wscale 6>
05:11:30.091556 IP my.host.com.54260 > 192.168.114.56.81: S 4169604542:4169604542(0) win 5840 <mss 1460,sackOK,timestamp 52565138 0,nop,wscale 6>
05:11:30.091593 IP my.host.com.52841 > 192.168.114.56.www: S 4177065598:4177065598(0) win 5840 <mss 1460,sackOK,timestamp 52565138 0,nop,wscale 6>
05:11:30.731561 IP my.host.com.33294 > 192.168.110.56.https: S 4178586582:4178586582(0) win 5840 <mss 1460,sackOK,timestamp 52565298 0,nop,wscale 6>
05:11:30.731598 IP my.host.com.47743 > 192.168.114.57.www: S 4184486122:4184486122(0) win 5840 <mss 1460,sackOK,timestamp 52565298 0,nop,wscale 6>
I would be very thankfull for advice how I can further find out
1.) What Programm is sending this traffic
Secondly I have the question. How can I check if this traffic will pass my network Interfaces so it will also be "sent" to the network of my provider. What I mean with this question is, is this only traffic internal to my server or is this traffic also "leaving" my server.(It will most likely be discarded by the routers of my ISP but I do not know how tcpdumps works, if this traffic shown is "internal" or "external" traffic.
UPDATE: I had a look at the processtable and killed some processes and found the programm: It was a proxy-server I installed... But the question stills stays the same: Having this example tcpdump given above, how could I further find the programm that is causing this traffic when not looking at the process list and killing programms. and furthermore the question is this traffic "leaving" my server or is this only internal traffic
thank you very much!!! jens
You can look at internet sockets and connections and the programs that own them with either
sudo lsof -i
orsudo netstat -nap46
. You can see if traffic is leaving the machine by passing-i $EXTERNAL_INTERFACE
to tshark or tcpdump.It seems that you are doing tcpdump on your machine. This way you can monitor the traffic received and sent by your machine.
If you want to know whether this traffic will leave your server or not, you have to login to the server and run tcpdump there.
If you want to check the program has some specific established connection, you can use
netstat -anp | grep <PORT>
.