Whether it is for troubleshooting or monitoring or checking whether the computer is connected to an unknown outside world, you need to understand the real-time network connection of the current computer. For example, each time you open a webpage, each cloud service, app Store and so on. If there are suspicious targets, check which program is causing them. The following lists some common commands and preliminary explanations, and provides a simple idea:
Find the network information that is opened and established in the current system
netstat -aW | grep -i -e "ESTABLISHED"
If you only want to see the number information that has not been converted, add the-n parameter, as shown in figure
netstat -anW | grep -i -e "ESTABLISHED"
To find the port number corresponding to a port name
grep https /etc/services
You can also go to the IANA official website to find out the details and the latest update: service.
Name and transport protocol port number Registry
After checking each connection, you can use the following command to check which program occupies a port. For example, to search for port 4001
sudo lsof -i:4001
In order to find all the conditions of a program, the above command shows the PID of the program process, using the command:
sudo lsof -p <pid>
This command is equivalent to the inspect function in activity monitor.
Uptime to view the running duration of the current system. My system shows that the system has not been shut down for four days, and five users are connected at the same time, system resource usage in the past 1/5/15 minutes.
15:20 up 4 days, 6:47, 5 users, load averages: 0.70 0.52 0.45
The users Command tells you all the users currently logged on to the system:
blnestor toliu
Now I know that not only do I log in, but there is another person blnestor.
Use command W to view the current Login User
For example, mine is:
Up 4 days, 4 Users, load averages: 0.41 0.38 0.39 user tty from login @ idle whattoliu console-mon08 4 days-toliu s001-2/usr/bin/less-istoliu s002--wtoliu s000-36-Bashblnestor s003 10.37.16.104 15:17 - bash
I opened three terminal windows, corresponding to s000, s001, and s002 respectively, and one user blnestor was connected from the remote machine 10.37.16.104. </P>
The command "who" can also obtain similar information. To determine the TTY name of the current terminal, run the command "Who am I". The last system startup time was who-B.
Use the above knowledge to determine the connections used by remote users:
$ netstat -aW | grep -i -e "ESTABLISHED" | grep "10.37.16.104"tcp4 0 0 10.37.5.245.ssh 10.37.16.104.58784 ESTABLISHED
It can be seen that it is SSH
Use kill to stop the connection
First, find the PID of the SSH connection, for example:
$ ps -lt ttys003 UID PID PPID F CPU PRI NI SZ RSS WCHAN S ADDR TTY TIME CMD 502 26922 26921 4006 0 31 0 2433436 1192 - Ss+ 0 ttys003 0:00.01 -bash
So
sudo kill -9 26922
Okay.