Viewing users' system access

Colorful Output

If you want to see something more exciting than the monochrome output of the tools mentioned above, you can use the whowatch [3] tool. The program shows users and their processes output graphically, in color, and, more importantly, updated in real time.

Figure 1 shows the output of a system with 11 users (7 local, 1 connected via SSH, and 3 others) bustling about. In the illustration, the indented processes were started within outdented processes above them.

Figure 1: Process analysis with whowatch.

So you can see that the user test connected over SSH activated a terminal, which runs a Bash shell and is currently working with Midnight Commander (mc ). The whowatch command works with the keyboard and has a menu you can start by pressing F9. The menu offers features such as the possibility to display details of a selected processes and to end the process if necessary.

Active Connections

Even more than local activities, connections to and from the outside world are also interesting. The w and whowatch programs mentioned above already gave you some information about activity over the network. An additional tool to use is ss , which is part of the standard set of tools of any Linux. The name of the program comes from socket statistics and, in terms of functionality, it has similarities with netstat [4], as it inspects the network sockets for, TCP, UDP, DCCP, RAW connections, and connections to Unix domain sockets. In addition to the statistical information, it lists the existing connections.

The ss tool offers a variety of options [5]. By using ss -pl | grep 17500 , you will see which processes opened Port 17500. In Listing 7, you can see that would be Dropbox, the file exchange service. Option -p stands for --processes and displays the process names. The -l option stands for --listening and limits the output to only existing listening connections.

$ ss -pl | grep 17500
LISTEN  0       128             *:17500         *:*             users:(("dropbox",4957,27))

You can obtain a list of all of the existing TCP connections by using ss -t (Listing 8). The keyword ESTAB is shown when a connection has been established. The CLOSW-WAIT tag is displayed when the socket is about to close. The other columns show the local and remote IP addresses, and the port or the network protocol. The listing shows very common connections such as IMAP, LDAP, IRC, SSH, HTTP, HTTPS, NFS and AFS via IPv4, and IPv6.

01 $ ss -t
02 State                        Recv-Q  Send-Q  Local Address:Port                              Peer Address:Port
03 ESTAB                        0               0               2001:bf0:c000:a::1:123:36483            2001:748:100:40::8:112:imap2
04 CLOSE-WAIT   1               0               192.109.42.123:43037                            192.109.42.23:ldap
05 ESTAB                        0               0               192.109.42.123:nfs                              192.109.42.123:685
06 ESTAB                        0               0               127.0.0.1:60479                                 127.0.0.1:13157
07 ESTAB                        0               0               192.109.42.123:59940                            212.201.69.24:ssh
08 ESTAB                        0               0               192.109.42.123:47664                            83.170.73.249:ircd
09 ESTAB                        0               0               192.109.42.123:39582                            62.138.109.50:http
10 ESTAB                        0               0               192.109.42.123:54390                            198.252.206.25:https
11 ESTAB                        0               0               192.109.42.123:955                              192.109.42.119:nfs
12 ESTAB                        0               0               192.109.42.123:34930                            82.96.64.4:afs3-fileserver

You can restrict the output even further if you invoke individual options by employing Boolean operations. The following example filters out all of the existing HTTP connections (Listing 9). You can attain this with option -o state established , or conversely by explicitly stating the network protocol http for the source address and destination address.

01 $ ss -o state established '( dport = :http or sport = :http )'
02 Recv-Q       Send-Q          Local Address:Port              Peer Address:Port
03 0                    0                       192.109.42.123:44209            23.21.145.72:http
04 0                    0                       192.109.42.123:41247            80.237.156.34:http
05 0                    0                       192.109.42.123:39582            62.138.109.50:http
06 0                    0                       192.109.42.123:53678            77.67.27.174:http

Use sport for source port and dport for the destination port. Again, you must enclose the string in simple quotation marks, so the shell does not evaluate the expression but rather passes it on to ss as is.

You can also filter HTTPS connections that come from outside using the dst (for destination) keyword and specifying the https protocol (Listing 10).

01 $ ss dst :https
02 State                Recv-Q  Send-Q  Local Address:Port              Peer Address:Port
03 ESTAB                0               0               192.109.42.123:47140            72.21.194.168:https
04 ESTAB                0               0               192.109.42.123:54390            198.252.206.25:https
05 ESTAB                0               0               192.109.42.123:33526            193.149.81.40:https
06 ESTAB                0               0               192.109.42.123:46534            157.56.192.62:https
07 ESTAB                0               0               192.109.42.123:47130            72.21.194.168:https