Ubuntu – How to see what an IP is doing in the server

apache-2.2networkingUbuntu

I'm having problems with my server, and have been using iftop to show connections to and from the server in real time.

It shows an IP address that is constantly connected to/from me, but I can't find any information about what it is used for.

How can I find out what exactly that ip is doing with my server?

EDIT: with help of the answers, I was able to see with iftop the following

my.ip.address:46414 => 199.16.156.20:https

Then with netstat -a I see the following

tcp        0      0 my.ip.address:46414 199.16.156.20:https     ESTABLISHED

I do have an apache web server, but that IP is not showing on the logs. And furthermore, why is it connecting to port 46414?? What is he doing!

Thanks

EDIT2: Ok, thanks to the answer of Daniel t. I'm getting closer. I tried with lsof -i:46475 and this is the output

COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2 22003 www-data   19u  IPv4 716074      0t0  TCP ns.arg2.wirall.com:46475

So it looks like apache is doing something… but as it is an outbound connection, how can I know what is it really doing??

Best Answer

46414 is a randomly generated port created by your OS. This is done for outgoing ports to maintain the session.

It is the connecting port that you need to look at, and that would be 443 as indicated by https. This means your IP is actually connecting via https to a remote server, not the other way around.

Related Solutions

Linux Server Performance – What Limits Maximum Number of Connections?

I finally found the setting that was really limiting the number of connections: net.ipv4.netfilter.ip_conntrack_max. This was set to 11,776 and whatever I set it to is the number of requests I can serve in my test before having to wait tcp_fin_timeout seconds for more connections to become available. The conntrack table is what the kernel uses to track the state of connections so once it's full, the kernel starts dropping packets and printing this in the log:

Jun  2 20:39:14 XXXX-XXX kernel: ip_conntrack: table full, dropping packet.

The next step was getting the kernel to recycle all those connections in the TIME_WAIT state rather than dropping packets. I could get that to happen either by turning on tcp_tw_recycle or increasing ip_conntrack_max to be larger than the number of local ports made available for connections by ip_local_port_range. I guess once the kernel is out of local ports it starts recycling connections. This uses more memory tracking connections but it seems like the better solution than turning on tcp_tw_recycle since the docs imply that that is dangerous.

With this configuration I can run ab all day and never run out of connections:

net.ipv4.netfilter.ip_conntrack_max = 32768
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_orphan_retries = 1
net.ipv4.tcp_fin_timeout = 25
net.ipv4.tcp_max_orphans = 8192
net.ipv4.ip_local_port_range = 32768    61000

The tcp_max_orphans setting didn't have any effect on my tests and I don't know why. I would think it would close the connections in TIME_WAIT state once there were 8192 of them but it doesn't do that for me.

Linux – netstat -ntap doesn’t show pid/process name for some connections

198_141:~ # netstat  -anp|grep 33000
tcp        0      0 0.0.0.0:53000           0.0.0.0:*               LISTEN       -                   
198_141:~ # lsof -i:33000
COMMAND   PID USER   FD   TYPE     DEVICE SIZE NODE NAME
vsftpd  28147 root    3u  IPv4 4089990174       TCP *:33000 (LISTEN)
198_141:~ # id
uid=0(root) gid=100(users) groups=16(dialout),100(users)
198_141:~ #

in my oninion,there could be two situations:

1) normal privilege user excute "netstat" cann't see those processes launched by root

2) some processes run in kernel

Best Answer

Related Solutions

Linux Server Performance – What Limits Maximum Number of Connections?

Linux – netstat -ntap doesn’t show pid/process name for some connections

Related Topic