Monitor current network traffic on Debian
We can also use the SSH terminal to display the number of network connections to specific IP addresses. The following code queries the number of established connections every second and displays them.
while true; do netstat -ant | egrep ':.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c; sleep 1; done
Of course, this can also be restricted further, e.g. to ports 80 and 443 to only display traffic for http and https:
while true; do netstat -ant | egrep '(:80|:443) .*:.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c; sleep 1; done
Netstat can only display TCP and UDP traffic. ICMP traffic is not displayed by netstat.
To log all the fun and exclude IPs we can use
while true; do netstat -ant | egrep ':.*ESTABLISHED' | grep -v -e '127.0.0.1' -e '127.0.0.2' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c >> /root/ip.log; sleep 1; done
use.
To monitor the HTTP traffic live, you can use e.g.
sudo tcpdump -i eth0 -s 0 -A 'tcp dst port 80 or tcp dst port 443 and not host 1.1.1.1'