How to tell what interface a TCP connection will go out on?

Solution 1:

For me I can see what interface I have right there using the netstat -rn or route -n

cyrex@cyrex:~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.48.0.1      0.0.0.0         UG        0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
192.48.0.0      0.0.0.0         255.255.224.0   U         0 0          0 eth0

Or netstat -r

cyrex@cyrex:~$ netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192-48-0-1.dyn. 0.0.0.0         UG        0 0          0 eth0
link-local      *               255.255.0.0     U         0 0          0 eth0
192.48.0.0      *               255.255.224.0   U         0 0          0 eth0

In both cases I can see the name of the interface at the end, in this case it is eth0

The information given by this commands is as followed (Source found here):

Destination - The destination network or destination host.

Gateway - The gateway address or * if none set.

Genmask - The netmask for the destination net.

 255.255.255.255 for the host destination.
 0.0.0.0 for the default route.  

Flags - Possible flags include:

 U (route is up)  
 H (target is a host)  
 G (using gateway)  
 R (reinstate route for dynamic routing)  
 D (dynamically installed by daemon or redirect)  
 M (modified from routing daemon or redirect)  
 A (installed by addrconf)  
 C (cache entry)  
 ! (reject route)  

MSS - Default maximum segment size for TCP connections over this route.

Window - Default window size for TCP connections over this route.

irtt - Initial RTT (Round Trip Time). The kernel uses this to guess about the best TCP protocol parameters without waiting on (possibly slow) answers.

Iface - Interface to which packets for this route will be sent.

Other fields can be:

Metric - The distance to the target (usually counted in hops). It is not used by recent kernels, but may be needed by routing daemons.

Ref - Number of references to this route. (Not used in the Linux kernel.)

Use - Count of lookups for the route. Depending on the use of -F and -C this will be either route cache misses (-F) or hits (-C).

HH (cached only) - The number of ARP entries and cached routes that refer to the hardware header cache for the cached route. This will be -1 if a hardware address is not needed for the interface of the cached route (e.g. lo).

Arp (cached only) - Whether or not the hardware address for the cached route is up to date.

Now to the question at hand. The easiest way I can remember right now (As always, there are several ways of doing the same thing) is by using iptraf. Just install it:

sudo apt-get install iptraf

and run it with root priveleges: sudo iptraf

In the menu of iptraf select IP Traffic Monitor and then choose All Interfaces. That should show you all TCP connections and to which interface they are related to. It is terminal based which is good for monitoring purposes.

Solution 2:

You can query the kernel routing tables using the ip command. Its route get subcommand will tell you exactly how the kernel will route a packet to a destination address:

 $ ip route get to 10.0.2.2
 10.0.2.2 dev eth0  src 10.0.2.15

whereas

$ ip route get to 192.168.3.5
192.168.3.5 via 10.0.2.2 dev eth0  src 10.0.2.15

and

$ ip route get to 127.0.1.1
local 127.0.1.1 dev lo  src 127.0.0.1