I found a couple of handy scripts that help me identify outgoing TCP connections from my 20.04 LTS MATE. The first does a DNS lookup and displays the target:
ss -t -o state established '( dport = :443 || dport = :80 )' | grep -Po '([0-9a-z:.]*)(?=:http[s])' | sort -u|netcat whois.cymru.com 43|grep -v "AS Name"|sort -t'|' -k3
Which I think is very cool.
The other shows the total connections by IP address:
netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r
I'd like to combine the two features so that the second command would resolve the hosts (yes, I know that localhost is listed, which could confuse a script, but I can't seem to even get the first part. I'm hoping to run a command that will show something like this:
10 127.0.0.1 | localhost
2 104.18.13.47 | CLOUDFLARENET, US
2 104.18.12.47 | CLOUDFLARENET, US
1 95.49.116.118 | ORANGE, POLSKA
...
(Examples given may not reflect actual DNS resolution)
It might be interesting to see what processes on my machine are "phoning home..."