Finding the process that use network traffic

mahmood asked:

With nethogs, I able to see that there is traffic from one node to another.

NetHogs version 0.8.5

    PID USER     PROGRAM                                                DEV        SENT      RECEIVED
      ? root     10.10.10.1:2049-10.10.10.253:873                               12090.597      66.006 KB/sec
  27592 mahmood  ssh                                                    eth0        0.035       0.645 KB/sec
  ? root     10.10.10.1:809-10.10.10.252:15002                                  0.000       0.000 KB/sec
  ? root     10.10.10.1:805-10.10.10.251:15002                                  0.000       0.000 KB/sec
  ? root     10.10.10.1:804-10.10.10.252:15002                                  0.000       0.000 KB/sec
  ? root     172.16.48.70:9618-10.10.10.251:43431                               0.000       0.000 KB/sec
  3193 sge      /opt/gridengine/bin/linux-x64/sge_qmaster              eth0        0.000       0.000 KB/sec
  ? root     unknown TCP                                                        0.000       0.000 KB/sec

But I am not able to figure out which process is causing that traffic. Any idea about that?

Please note that according to the output of nethogs, :2049 on 10.10.10.1 (server) and :873 on 10.10.10.253 (compute-0-1) are communicating.

So, On the server

root@cluster:~# netstat -anp | grep 2049
tcp        0      0 0.0.0.0:2049                0.0.0.0:*                   LISTEN      -
tcp     1540 3461276 10.10.10.1:2049             10.10.10.253:873            ESTABLISHED -                  
tcp        0      0 10.10.10.1:2049             10.10.10.252:683            ESTABLISHED -
tcp        0      0 10.10.10.1:2049             10.10.10.251:1012           ESTABLISHED -
tcp        0      0 :::2049                     :::*                        LISTEN      -
udp        0      0 0.0.0.0:2049                0.0.0.0:*                               -
udp        0      0 :::2049                     :::*                                    -

And on compute-0-1:

[root@compute-0-1 ~]# netstat -anp | grep 873
tcp        0 3339056 10.10.10.253:873            10.10.10.1:2049             ESTABLISHED -                  

So the process names are not clear.

My answer:


You will never see a process name for a service handled by the kernel itself, such as the NFS server, which is what runs on TCP port 2049 (and UDP 2049, but you usually shouldn’t use UDP for NFS).


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.