List Outgoing Connections?

OldStrummer · 12 March 2022 15:44

I found a couple of handy scripts that help me identify outgoing TCP connections from my 20.04 LTS MATE. The first does a DNS lookup and displays the target:

ss -t -o state established '( dport = :443 || dport = :80 )' | grep -Po '([0-9a-z:.]*)(?=:http[s])' | sort -u|netcat whois.cymru.com 43|grep -v "AS Name"|sort -t'|' -k3

Which I think is very cool.

The other shows the total connections by IP address:

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r

I'd like to combine the two features so that the second command would resolve the hosts (yes, I know that localhost is listed, which could confuse a script, but I can't seem to even get the first part. I'm hoping to run a command that will show something like this:

10 127.0.0.1            |      localhost
  2 104.18.13.47     |     CLOUDFLARENET, US
  2 104.18.12.47     |     CLOUDFLARENET, US
  1 95.49.116.118  |      ORANGE, POLSKA

...
(Examples given may not reflect actual DNS resolution)

It might be interesting to see what processes on my machine are "phoning home..."

Drc · 12 March 2022 15:59

These are great. Thanks.

pavlos_kairis · 12 March 2022 18:56

Re:second script

added awk '{print $2}' at the end of the first part ... excluded ip starting with 127.0.0. or 10.

netstat -ntu|awk '{print $5}'|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r| \
awk '{print $2}' | grep -v '127.0.0.' | grep -v '10.' | \
netcat whois.cymru.com 43|grep -v "AS Name"|sort -t'|' -k3

16509 | 34.214.249.151 | AMAZON-02, US
11643 | 209.140.129.68 | EBAY, US
11643 | 64.4.253.78 | EBAY, US
15169 | 142.250.68.37 | GOOGLE, US
15169 | 34.120.208.123 | GOOGLE, US
15169 | 34.120.237.76 | GOOGLE, US