I'm running gkrellm which shows that some process on my Debian Linux system is writing approx 500KB/s to eth0. I'd like to find out which process it is. I know a little bit about netstat, but it shows a gazillion open TCP connections and I can't seem to make it produce any information about traffic.
Does anybody know how I can get a list of processes that are actually using the eth0 interface so that I can track down the offender?
FOLLOWUP: The Debian Linux distribution contains a nethogs package which solves this problem definitively. Related tools that are not quite on the mark include iftop, netstat, and lsof.
I prefer nethogs. It's a small ncurses-based console program that displays per-process network traffic status in a convenient way.
netstat -ptuwill give you the owning process ids (along with standard netstat info) for all tcp and udp conections. (Normal users will not be able to id all processes.)If something is sending out a fair amount of constant traffic you should see it on
Recv-QorSend-Qcolumns 2 and 3 respectively.Examples:
Recv-Qsudo watch -n .1 'netstat -tup | grep -E "^[tc,ud]p[6]{0,1}" | sort -nr -k2'Send-Qsudo watch -n .1 'netstat -tup | grep -E "^[tc,ud]p[6]{0,1}" | sort -nr -k3'If you suspect that that process is being triggered by another process
ps axf.A more manual operation if you are looking for just a process sending/receiving data would be to run the
lsofcommand. This will list all open files for each process which will include network connections as they are file descriptors to the o.s.Not sure if this is what you are looking for.
Install
iftop(simple text-based) orntop(graphical).Use
tcpdumpto sniff some packets on this interface:Copy to client and open with Wireshark to see what happens.