# determine application sending traffic on a specific port ?

## gerni

How can i solve this problem: Some application is sending TCP traffic on a specific port to a specific host, but i don't know which application is sending the traffic. How can i determine the chatty application!?

Any help would be appreciated.

Thanks,

Gernot

----------

## Yuu

Hi gerni,

you can list your connexions by using : 

```
# netstat -tanpu
```

Then you can also pipe-it to grep in order to display only the traffic through a specific port, or host, or.. whatever : 

```
# netstat -tanpu | grep :80
```

Actually, that's the "-p" parameter that helps you (cf man netstat) finding your application which is sending data: 

```
-p, --program

       Show the PID and name of the program to which each socket belongs
```

Good luck  :Smile: 

----------

## gerni

thanks for your reply! With netstat i might miss short remaining connections even if i poll very frequently. So this is not exactly what i need. I'll need something like tcpdump but with the additional ability to log the sending process or something generating an event if sending activity of interest occours.

thank you,

Gernot

----------

## pa4wdh

Hi,

Because i also sometimes hit this issue, and decided to write a script. I called it "tcpdump+.sh".

```

#!/bin/sh

tcpdump -n $* | \

while read LINE

do

 SRC=`echo $LINE | cut -d" " -f3`

 DST=`echo $LINE | cut -d" " -f5`

 DST=${DST:0:$((${#DST}-1))}

 printf "$LINE "

 PID=`netstat -apn | grep "$SRC" | grep "$DST" | awk '{ print $NF }'`

 echo $PID

done

```

It's may not be the cleanest solution and it adds quite some load to the system (you're essentially running 6 processes for every packet you receive) but it works. I suggest to use good tcpdump filtering. Any arguments given to the script are passed to tcpdump, so to filter in your case use "./tcpdump+.sh tcp port <the port you know>".

Using this script you might hit some buffering issues, which means that it will show output only if a certain amount of input has been received. be patient, or generate some traffic yourself  :Smile: 

Hope this helps.

Best regards,

pa4wdh

----------

