Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

View IP addresses your computer is connected to, and the applications using them


  • Please log in to reply
4 replies to this topic

#1 Al1000

Al1000

  • Global Moderator
  • 6,684 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:29 AM

Posted 25 October 2014 - 07:31 PM

This is with just one tab open on Firefox, browsing bleepingcomputer.com, having just refreshed the browser.

sudo netstat -tunap1
al@my_desktop_pc:~$sudo netstat -tunap1     

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      1263/dnsmasq    

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      2136/cupsd      

tcp        0      0 192.168.1.101:37774     104.28.14.88:80         TIME_WAIT   -               

tcp        0      0 192.168.1.101:37773     104.28.14.88:80         ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:45961     185.31.18.193:80        ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:45960     185.31.18.193:80        ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:35298     74.125.71.84:443        TIME_WAIT   -               

tcp        0      0 192.168.1.101:36836     74.125.230.135:443      ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:52236     141.101.123.117:80      ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:52235     141.101.123.117:80      ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:45959     185.31.18.193:80        ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:35294     104.131.74.142:80       TIME_WAIT   -               

tcp        0      0 192.168.1.101:50079     74.125.230.229:80       ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:37772     104.28.14.88:80         ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:37778     104.28.14.88:80         TIME_WAIT   -               

tcp        0      0 192.168.1.101:52238     141.101.123.117:80      ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:52230     141.101.123.117:80      ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:52237     141.101.123.117:80      ESTABLISHED 5434/firefox    

tcp        0      0 192.168.1.101:52234     141.101.123.117:80      ESTABLISHED 5434/firefox    

tcp6       0      0 ::1:631                 :::*                    LISTEN      2136/cupsd      

tcp6       1      0 ::1:37392               ::1:631                 CLOSE_WAIT  2015/plasma-desktop

tcp6       1      0 ::1:33734               ::1:631                 CLOSE_WAIT  1106/cups-browsed

udp        0      0 127.0.1.1:53            0.0.0.0:*                           1263/dnsmasq    

udp        0      0 0.0.0.0:68              0.0.0.0:*                           1220/dhclient   

udp        0      0 0.0.0.0:56914           0.0.0.0:*                           1220/dhclient   

udp        0      0 0.0.0.0:631             0.0.0.0:*                           1106/cups-browsed

udp        0      0 0.0.0.0:5353            0.0.0.0:*                           529/avahi-daemon: r

udp        0      0 0.0.0.0:56612           0.0.0.0:*                           529/avahi-daemon: r

udp6       0      0 :::5771                 :::*                                1220/dhclient   

udp6       0      0 :::35045                :::*                                529/avahi-daemon: r

udp6       0      0 :::5353                 :::*                                529/avahi-daemon: r

See

man netstat

...for more information on netstat.

 

 

So for example this says that Firefox is connected to 104.28.14.88 - with 80 being a port number, and 5434 being Firefox's PID.

104.28.14.88:80         ESTABLISHED 5434/firefox

If you install cURL

sudo apt-get install curl

... you don't have to leave the terminal to look up IP addresses. Enter the command:

curl ipinfo.io/

... followed by the IP address, like so:  

al@my_desktop_pc:~$ curl ipinfo.io/104.28.14.88

{

  "ip": "104.28.14.88",

  "hostname": "No Hostname",

  "city": null,

  "region": null,

  "country": "US",

  "loc": "38.0000,-97.0000",

  "org": "AS13335 CloudFlare, Inc."

}al@my_desktop_pc:~$ curl ipinfo.io/185.31.18.193

{

  "ip": "185.31.18.193",

  "hostname": "No Hostname",

  "city": null,

  "region": null,

  "country": "EU",

  "loc": "47.0000,8.0000",

  "org": "AS54113 Fastly"

}al@my_desktop_pc:~$ curl ipinfo.io/74.125.71.84

{

  "ip": "74.125.71.84",

  "hostname": "No Hostname",

  "city": "Mountain View",

  "region": "California",

  "country": "US",

  "loc": "37.4192,-122.0574",

  "org": "AS15169 Google Inc.",

  "postal": "94043"

}al@my_desktop_pc:~$ curl ipinfo.io/141.101.123.117

{

  "ip": "141.101.123.117",

  "hostname": "No Hostname",

  "city": null,

  "region": null,

  "country": "EU",

  "loc": "47.0000,8.0000",

  "org": "AS13335 CloudFlare, Inc."

CloudFlare is the server / network provider (or whatever the correct term is) for bleepingcomputer.com, and Fastly seems to be a 'content delivery network' - the likes of which keep appearing in the output of netstat. But wherever I go, it seems that Google is always there.


Edited by Al1000, 25 October 2014 - 07:33 PM.


BC AdBot (Login to Remove)

 


m

#2 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 26 October 2014 - 03:29 AM

Actually, that is VERY interesting, but is also in some ways linked to what I said over at Unsolicited Emails, here.

 

Thanks for the tip, Al1000

 

:wizardball:



#3 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 6,684 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:29 AM

Posted 23 May 2015 - 02:16 PM

I've been messing around with netstat some more. Thanks to rburkartjo posting a link to "3 Useful Hacks Every Linux User Must Know" I learned about while, do and done, which I've used to automate the process of running netstat periodically, and recording (probably mostly useless) information from its output.

 

This command will create a file called autonet.sh in your Home directory (assuming that's where you are) and make it executable:

echo $'#!/bin/bash\nwhile true; do netstat -W | grep 'ESTABLISHED' >> connections.txt ; ps -e | grep 'autonet.sh' > autonetpid ; sleep 10 ; done &' > autonet.sh && chmod +x autonet.sh

The content of autonet.sh should look like this:

#!/bin/bash
while true; do netstat -W | grep ESTABLISHED >> connections.txt ; ps -e | grep autonet.sh > autonetpid ; sleep 10 ; done &

To run the script type:

./autonet.sh

The script runs netstat every 10 seconds, searches the output for "established" connections, and records them in a file called connections.txt. So if you run the script, browse the internet for a while, then open your connections.txt file you should find a list of urls that established connections with your computer.

 

It could probably be configured to show something useful too. :)

 

The script also creates a second file called autonetpid, in which you will find the PID number, which is useful if you want to stop the script running.

 

The autonetpid file is over-written every ten seconds, and will never be any larger than one line of text. The connections.txt file doesn't get over-written, so if it gets too long you can just delete the file, and a new file will be created automatically the next time the command is run.

 

To stop the script, use the kill command followed by the PID number of the script. For example in this case, the PID number is 10233:

al@my_desktop_pc:~$ cat autonetpid
10233 pts/0    00:00:00 autonet.sh

... so to stop the script running I would type:

kill 10233

Edited by Al1000, 23 May 2015 - 03:00 PM.


#4 mremski

mremski

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:03:29 AM

Posted 26 May 2015 - 07:01 AM

netstat is a good command for quickly getting socket/connection information.  It also gets you familiar with TCP states and timeouts (closing sockets have some longish timeouts, 5 minutes or so).  For the security minded, one set of options to keep in mind:

 

netstat -aln

 

a:  all

l: include listening

n: numeric, don't try to DNS resolve.

 

(netstat -aln | grep -i listen to pull just the listening sockets, aka servers)

 

Listening sockets are related to processes on your machine that are open as servers.  If the first column is "unix" that is a UNIX domain socket, typically machine local, less interesting than TCP or UDP sockets.  The Local Address column as the local address the socket is bound to.  127.0.0.1 is your localhost address, 0.0.0.0 is the "any" address.  The number after the ":" is the port;  look this up in /etc/services for the service name, then go hit up Professor Google for what it is.   IPV6 localhost is: ::1, ::ffff:127.0.0.1, IPV6 any is ::

 

Doing this after a fresh install is often interesting, it gives you an idea about the distribution:  Is it "default deny" or "default accept".  Windows is "default accept", OpenBSD is pretty much the King of Default Deny.  "That which is not expressly allowed is prohibited".

 

Tie the listen sockets into your firewall rules:  figure out what service the listening sockets are providing, decide if you need them.  No, turn them off, Yes, figure out where they need to be visible from (local LAN, WAN) and adjust firewall rules accordingly.

 

The OP shows that pointing a browser to anyplace has a lot going on behind the scenes that most folks aren't even aware of (and people with malicious intent can take advantage of that).


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#5 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 6,684 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:29 AM

Posted 30 July 2015 - 03:55 PM

I've managed to automate this process somewhat. I'm now using sudo netstat -atnp to list all active connections. This command includes a foreign IP address in every result.
 
Here is my current autonet.sh file which is now owned by root, to stop me accidentally starting it without using sudo.
 
#!/bin/bash
while true; do sudo netstat -atnp | grep ESTA >> connections.txt ; ps -ax | grep autonet.sh > autonetpid ; sleep 10 ; done &
 
To make file owned by root:
sudo chown root:root ~/autonet.sh
 
This script still runs the netstat command every 10 seconds and prints the output in a file called connections.txt, and the pid number(s) to autonetpid.
 
Now I have an additional script which I've called autocurl.sh:
 
 
#!/bin/bash
awk -F: '{ print $2 }' connections.txt | sed -r 's/^.{5}//' | sort -u > ipnos.txt &&
while read p; do
curl ipinfo.io/$p
done <ipnos.txt > results.txt
This script:
 
1) Cuts out everything expect the IP addresses from the results of connections.txt, deletes multiple entries of the same IP address, and lists the unique IP addresses in a new file called ipnos.txt.
 
2) When it's finished doing that, it then goes through the entries in ipnos.txt and appends them to curl ipinfo.io/ one after the other, to look the IP addresses up, then outputs the results in a file called results.txt.
 


So to run autonet.sh:
 
sudo bash autonet.sh
To stop autonet.sh running, use sudo kill followed by the pid no(s) in autonetpid.

To run autocurl.sh:
 
bash autocurl.sh
It's still a bit rough. Obviously the two scripts need to be run separately, autocurl.sh prints out a load of text in the terminal while it's running curl, and you have to delete the connections.txt, ipnos.txt, and results.txt files manually. But apart from that, it's fully automated. :)

Here is results.txt after browsing Bleeping Computer for a minute or so:
 

{
"ip": "141.101.113.117",
"hostname": "No Hostname",
"city": null,
"country": "EU",
"loc": "47.0000,8.0000",
"org": "AS13335 CloudFlare, Inc."
}{
"ip": "216.58.208.46",
"hostname": "lhr08s07-in-f14.1e100.net",
"city": "Mountain View",
"region": "California",
"country": "US",
"loc": "37.4192,-122.0574",
"org": "AS15169 Google Inc.",
"postal": "94043"
}{
"ip": "54.85.51.136",
"hostname": "ec2-54-85-51-136.compute-1.amazonaws.com",
"city": "Ashburn",
"region": "Virginia",
"country": "US",
"loc": "39.0437,-77.4875",
"org": "AS14618 Amazon.com, Inc.",
"postal": "20147"
}{
"ip": "64.233.184.157",
"hostname": "wa-in-f157.1e100.net",
"city": "Mountain View",
"region": "California",
"country": "US",
"loc": "37.4192,-122.0574",
"org": "AS15169 Google Inc.",
"postal": "94043"
}{
"ip": "93.184.220.29",
"hostname": "No Hostname",
"city": null,
"country": "US",
"loc": "38.0000,-97.0000",
"org": "AS15133 EdgeCast Networks, Inc."


Edited by Al1000, 30 July 2015 - 04:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users