You can check the traffic sources using various commands and tools. Here are a few options:
netstat -antp | grep ESTABLISHED
This command will show you all established connections to your server, along with the IP addresses or hostnames of the clients.
iftop -P -N
This command will display a list of network connections and their bandwidth usage, sorted by the most active connections at the top.
tcpdump -i eth0 src <IP address> or src <IP address>
Replace “eth0” with the name of your network interface and “” with the actual IP addresses you want to filter. This command will show all network traffic from the specified IP addresses.
iptraf-ng
Once you start the iptraf-ng command, you can navigate to the “Connections” option to see the list of active connections with their sources and destinations.
Note that all these commands require root or sudo privileges to execute.
sudo tcpdump -n -i eth0 -c 1000 | awk '{print $3}' | sort | uniq -c | sort -nr
This will capture the first 1000 packets on the eth0 interface and show the source IP addresses of the traffic. You can adjust the number of packets captured by changing the -c parameter.
netstat command to see which processes are associated with those IP addresses:sudo netstat -anp | grep <source IP address>
This will show you the process ID (PID) associated with the traffic. Make a note of the PIDs that are generating the most traffic.
ps command to identify the name of the process associated with the PIDs you identified in step 2:sudo ps -p <PID> -o comm=
This will show you the name of the process associated with the PID.
It is important to be careful when taking action to close the source of the traffic, as you do not want to accidentally disrupt legitimate traffic to your server. It is also important to investigate why the traffic is occurring in the first place, as there may be underlying issues with your server or application that need to be addressed.
To use this command, you’ll need to install the dsniff package, which provides the tcpkill command. Once installed, you can use the following command to terminate the connection:
tcpkill host [IP address] and port [port]
Replace [IP address] and [port] with the IP address and port associated with the connection you want to terminate.
Note that using tcpkill can have unintended consequences and should be used with caution. It terminates all connections to and from the specified IP and port, not just the one you are targeting. Use this command only if you have no other options and are confident in its use.
Here’s how you can use tcpdump to capture traffic on a Debian server:
Open a terminal on your Debian server.
Run the following command to start capturing traffic:
sudo tcpdump -i eth0 -nn -s0 -w traffic.pcap
In this command, -i eth0 specifies the network interface to capture traffic on (replace eth0 with the name of the interface you want to capture traffic on), -nn specifies that tcpdump should not resolve IP addresses to hostnames, -s0 specifies that tcpdump should capture the entire packet, and -w traffic.pcap specifies the file to save the captured traffic to.
Let the tcpdump command run for a period of time to capture the traffic.
After you’re finished capturing traffic, press Ctrl-C to stop the tcpdump command.
To view the captured traffic, you can use Wireshark or another network analysis tool to open the traffic.pcap file. In Wireshark, you can use the “Statistics” menu to view the traffic source and other statistics about the captured traffic.
Note: The tcpdump command requires root privileges to capture network traffic, so you will need to run the command with sudo or as the root user. Additionally, be sure to replace eth0 with the name of the network interface you want to capture traffic on.
To determine on which port the most traffic is going on, you can use the tcpdump command in conjunction with some command line tools for analyzing network traffic such as tshark and awk. Here’s how you can do it:
First, run the following tcpdump command to capture network traffic and save it to a file:
sudo tcpdump -i eth0 -w traffic.pcap
This command will capture all network traffic on the eth0 interface and save it to a file called traffic.pcap.
Once you have captured enough traffic, you can use the tshark command to analyze the contents of the traffic.pcap file:
sudo tshark -r traffic.pcap -qz io,phs
This command will analyze the traffic.pcap file and generate a summary of the traffic by port number.
The output of the tshark command will show you a list of ports and the amount of traffic that went through each port. To sort this list by the amount of traffic in descending order, you can use the awk command:
sudo tshark -r traffic.pcap -qz io,phs | awk '{print $2,$1}' | sort -nr
This command will print the list of ports and traffic amounts in descending order by the amount of traffic. The first column will show the amount of traffic, and the second column will show the port number.
The port that has the most traffic will be listed at the top of the output. Keep in mind that this method will only show you traffic that was captured during the time period that you were running tcpdump. If you want to monitor traffic in real-time, you can use the tcpdump command with the -l flag to print packets as they are captured.