Articles & Snippets

Why This Matters

• Detect unauthorized access
• Audit active users
• Investigate high resource usage
• Track specific IP traffic

Check Active TCP Connections with lsof

The lsof command lists open files. On Linux, network sockets are treated as files. You can filter by protocol, IP address, and connection state.

lsof -i [email protected] -nP | grep ESTABLISHED

Command Breakdown

• -i [email protected] filters TCP connections on the specified IP address.
• -nP prevents DNS and port name resolution for faster output.
• grep ESTABLISHED shows only active connections.

This command shows which processes currently have established TCP sessions on that IP.

List Process Details for Each Active Connection

To get more detail, extract the process IDs and display the user and command running each connection.

for pid in $(lsof -ti [email protected] -sTCP:ESTABLISHED); do echo "PID $pid"; ps -p $pid -o user,pid,cmd; done

What This Does

• -t outputs only process IDs.
• -sTCP:ESTABLISHED filters to active TCP sessions.
• The loop checks each PID.
• ps -p $pid -o user,pid,cmd shows the owner and command.

This gives you a clean list of which users and services are tied to active connections.

Check Another IP Address

for pid in $(lsof -ti [email protected] -sTCP:ESTABLISHED); do echo "PID $pid"; ps -p $pid -o user,pid,cmd; done

Replace the IP address with any interface assigned to your server. This is useful when your server has multiple public IPs.

Alternative Command Using ss

ss -tnp | grep ESTAB

The ss command is faster than netstat and shows active TCP connections with process info.

Best Practices

• Run checks during unusual traffic spikes.
• Log output for audits.
• Combine with firewall logs for deeper analysis.
• Restrict SSH access to trusted IPs.

Summary

Use lsof to filter active TCP sessions by IP. Extract PIDs to see which user and command owns each connection. Monitor regularly to keep your server secure.

---

linux server