I am running Ubuntu Server and using putty to check on it from time to time. There shouldn't be any traffic at all on this machine unless I initiate it. About once/twice per month when I run 'vnstat -l' to check the traffic, I notice that it's transmitting and receiving more than usual.
I want to know exactly what it's doing. I have been a Windows admin for years and know my way around Microsoft like the back of my hand. I can look at the services/processes running on any Windows machine and easily identify them. I can't do this with linux yet. I want to be just as comfortable with Ubuntu (as I am with Windows), which is why I have set up this machine.
I would like to be pointed in the right direction here. I know a handful of basic commands and have some Linux cheatsheets with some vague suggestions, which usually suffice, but I am still not satisfied that my machine is safe.
I am running ufw with one open port, 22, for putty. When I use the machine for other things I usually open up other ports, such as 80, but immediately close it when finished.
You could use
netstat -afor this task. It shows every connection the system currently has. If you want to monitor every single packet you should have a look attcpdumportshark.apt-get install ntop
ntop is a service that will monitor and report on all network traffic. You can access it on port 3000 with a web browser.
** Edit to include some command line utilities I use (ntop remains more valid to this question for it's ability to store and view historical data)**
As Wienczny points out below, iptraf is an excellent curses based monitor
pktstat performs a similar function to iptraf but also displays a real-time list of active connections seen on a network interface, and how much bandwidth is being used by what. Partially decodes HTTP and FTP protocols to show what filename is being transferred. X11 application names are also shown. Entries hang around on the screen for a few seconds so you can see what just happened. Also accepts filter expressions á la tcpdump.
iftop displays bandwidth usage on an interface. iftop does for network usage what top does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts.
tcptrack is a sniffer which displays information about TCP connections it sees on a network interface. It passively watches for connections on the network interface, keeps track of their state and displays a list of connections in a manner similar to the unix ‘top’ command. It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.