I'm having problems with my server, and have been using iftop
to show connections to and from the server in real time.
It shows an IP address that is constantly connected to/from me, but I can't find any information about what it is used for.
How can I find out what exactly that ip is doing with my server?
EDIT: with help of the answers, I was able to see with iftop the following
my.ip.address:46414 => 199.16.156.20:https
Then with netstat -a I see the following
tcp 0 0 my.ip.address:46414 199.16.156.20:https ESTABLISHED
I do have an apache web server, but that IP is not showing on the logs. And furthermore, why is it connecting to port 46414?? What is he doing!
Thanks
EDIT2: Ok, thanks to the answer of Daniel t. I'm getting closer. I tried with lsof -i:46475 and this is the output
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
apache2 22003 www-data 19u IPv4 716074 0t0 TCP ns.arg2.wirall.com:46475
So it looks like apache is doing something… but as it is an outbound connection, how can I know what is it really doing??
Best Answer
46414 is a randomly generated port created by your OS. This is done for outgoing ports to maintain the session.
It is the connecting port that you need to look at, and that would be 443 as indicated by https. This means your IP is actually connecting via https to a remote server, not the other way around.