Нужно проверить файлы, которые загружаются из моей системы в фоновом режиме
Я заметил в системном приложении, что иногда высокая скорость загрузки, даже когда приложение не запущено. Я подозреваю, что это может быть работа некоторого вредоносного ПО, и поэтому я хотел бы проверить, к какому IP-адресу обращается какой сервис, чтобы я мог убедиться, что моя система безопасна.
Кажется, встроенные приложения не работают. Кстати, дай мне эту информацию.
1 ответ
You can use a command-line program named tcpdump as @FedonKadifeli mentioned but that has a learning curve and it's very difficult to analyze the data with it on-the-fly because there are so much.
But you can use the graphical alternative (this area is of the few ones that I prefer graphical apps over CLI) named Wireshark.
But that doesn't show you which program is exhausting your bandwidth.In order to find that out , you can use netstat :
netstat -np
That will not only shows you all the network connection in your system but all the associated processes are listed alongside their PIDs.
Then go to Wireshark and set a filter to monitor a specific Foreign IP address or a specific port in your system.
For instance , one of entries in the Active Internet connections (w/o servers) section of the output of netstat in my system is this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.104:51116 212.103.50.247:9002 ESTABLISHED 3029/firefox
You can see that a firefox process with the PID of 3029 has made a connection (ESTABLISHED) to the address 212.103.50.247 from the local port 51116 to the remote port 9002 and of course the protocol is TCP.
Now you can go to the Wireshark and start listening on your Wi-Fi interface (possibly something like wlanX or wlpXYZ) :
and then add a filter and then you're able to see the packets sent to or received from that address :
But note that you aren't able to see the files or contents that are being downloaded or uploaded here if the packets are encrypted.
And note that after installing Wireshark , you have to add your user to the wireshark group ( via sudo addgroup your_user wireshark ) and then log-out and log-back to be able to capture packets without root access.Also when you install it via apt , the postint scripts should ask you this :
You should select Yes.
If you don't do this , then you have to open Wireshark as root to able to capture packets because wireshark uses libpcap to capture packets and the libpcap itself makes use of the Netlink communication platform to be able to receive the contents of a packet from the corresponding kernel infrastructure.And the Netlink protocol requires constructing RAW Sockets which needs root access in Unix systems.
And running a graphical program like Wireshark which has almost 1.5 million lines of code as root is dangerous so it's a good practice to run it as a regular user.
Hope it helps.