iptraf shows many connections not displayed in netstat
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptraf shows many connections not displayed in netstat
Hello,
Recently I fired up iptraf-ng on a Debian 11 machine. I've not used this utility before, however I am familiar with tcpdump.
To my surprise, there were tons of connection data shown from iptraf. At first I was concerned, but that netstat shows none of this. It looks like the usual garbage noise you get from a cable modem connection. Port scans, attempted connections to RDP port 3389, etc.
I have my systems locked down with iptables -- generally everything is set to DROP unless I need it. I have a suspicion that iptraf can see traffic that is ultimately dropped by netfilter/iptables, and this is why it's not in netstat but appears in iptraf. I've searched for awhile now and cannot find any confirmation about this from someone who would know.
Rather than just go with my suspicion or hunch, does anyone know for fact and/or from experience -- if traffic is ultimately blocked from a firewall and/or iptables, will these connection attempts still be shown by iptraf? I imagine if it is hooked directly to the ethernet interface and not the kernel that it would be able to see such traffic.
I would like to get some opinions and/or knowledge from the community from anyone who would know. Thanks for any insight or help.
For anyone to provide a useful answer we would need to know the iptraf and netstat commands you are using in order to compare what they will show.
In general, netstat is going to show listening applications and established connections (depending on command options) whereas iptraf may show all packets traversing the interface (again depending on command options).
If you are behind a router, which presumably you are, you should not see incoming probes unless you have some ports forwarded - but again depends on your configuration.
With Netstat I usually use "netstat -atulpn | grep EST" to see established connections and "netstat -atulpn | grep LIST" to see listening ports.
With iptraf-ng, I was using "IP Traffic Monitor -- All Interfaces"
As far as direction is concerned I need to read up on iptraf in particular to discern the meaning of > vs = in the one column, I presume this specifies direction.
This PC in particular is the router -- the cable modem connects directly to the network interface, which is the reason for my aggressive and limiting iptables policy. Also is reason why I suspect this traffic is visible to iptraf. I am pretty confident all this noise I am seeing is ultimately blocked, because I have no services even running on, for example, port 3389, and I've checked and that port does not respond, however I would like to understand iptraf's reach and whether it is able to see blocked traffic and know this is the case rather than just have convinced myself.
If your PC connects directly to the modem then iptraf can see everything that arrives at the inteface, meaning you will see all the probes and mal-packets that pass by.
Your netstat command will show only listeners and established connections. In a simplistic way, difference between the iptraf output and netstat will be the dropped packets.
You should be able to look at your iptables rules counters to get a sense of what is actually being dropped (or write DROP rules just to get a count).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.