Logging outgoing connections as they happen

Question

Is there a way to log to file all the outgoing connections that a process creates? I am aware of netstat but that seems to be more of a snapshot of a point in time rather than something that runs and logs information over a period.

I only need the IP or hostname, port and the process making the connection.

Well, you could do something like watch -n 2 netstat in the meantime, but that's not a proper solution, is it. — Ulrich Schwarz, Jan 26 '12 at 11:22
See also How to find out which file is currently written by a process for file accesses — Gilles 'SO- stop being evil', Feb 12 '12 at 12:43

Gilles 'SO- stop being evil' · Answer 1 · 2019-07-12T19:36:23.580

16

On Linux, you can set up the audit subsystem to log every attempt to establish a network connection. For information about the audit subsystem, read the auditctl man page or this tutorial or other examples on this site. Install your distribution's auditd package if necessary, then

auditctl -A exit,always -S connect

The logs are in /var/log/audit/audit.log on all the distributions that I know of. You can also search them with ausearch.

edited Jul 12 '19 at 19:36

answered Jan 27 '12 at 01:10

Gilles 'SO- stop being evil'

829,060

4

I needed to identify which process was making an outgoing connection. This did it instantly. To avoid flooding the logs, remove the rule afterward: auditctl -d exit,always -S connect – Michael Hampton May 26 '13 at 03:59
How do I inspect the logs? – luckydonald Jul 12 '19 at 16:50
@luckydonald less /var/log/audit/audit.log – Gilles 'SO- stop being evil' Jul 12 '19 at 19:36
1

This seems to log a huge amount of data, though having tried a curl - the ip address was NOT logged in the /var/log/audit/audit.log file. – Chris Stryczynski Aug 07 '20 at 11:38
The IP address and port are part of the saddr field. See: https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log – Marius Bjørnstad Oct 07 '20 at 13:05
seems like to capture outgoing connection activities, -F filetype=socket is needed per manpage. but another thread said it doesn't work. Any idea how to just audit outgoing connection activities? Thanks! – HCSF Mar 12 '21 at 10:58

score 5 · Answer 2 · edited Jan 15 '14 at 19:11

5

If you're able to install a custom kernel, you should have a look at SystemTap. There are plenty of examples how to trace network activity.

edited Jan 15 '14 at 19:11

peterph

30,838

answered Jan 26 '12 at 20:39

Lars Kotthoff

1,234

score 3 · Answer 3 · edited Jun 29 '15 at 08:52

3

On Linux, you can use ip_conntrack to accomplish this. It's a connection tracking module, used normally to monitor connections for oddly behaving protocols (like FTP) to be managed by a firewall/NAT box.

modprobe ip_conntrack
cat /proc/net/ip_conntrack

You can grep the pseudo-file to see established connections, and further grep the source IP to see when it originates from your box.

edited Jun 29 '15 at 08:52

G-Man Says 'Reinstate Monica'

22,870

answered Jan 26 '12 at 13:27

Sean C.

2,390

The question may not be necessarily Linux-centric. – Karlson Jan 26 '12 at 18:22

score 0 · Answer 4 · answered Jan 26 '12 at 18:22

I would look into using tcpdump on the outbound interface looking at the outbound SYN requests.

If you feel really adventurous you could make utilities like: strace or truss report all connect system calls while tracing the execution of the program but this is a bit more dangerous and has drawbacks when dealing with multithreaded processes.

Logging outgoing connections as they happen

4 Answers4

Linked