Identify "rogue" internet accessing Applications

If you don't mind having an infinite loop running for some time, you can run netstat continuously and filter the output for the IP address of the computer to which your program is connecting. I suggest using IP addresses instead of domain names because it's much faster, reducing the time each netstat call takes and therefore increasing the chances of actually catching your process. You should run the netstat command as root, if you think that the process does not belong to the currently logged in user. So, first use nslookup to figure the IP of the domain:

nslookup weather.noaa.gov

For me this gives at the moment: 193.170.140.70 and 193.170.140.80. Now you can put up an infinte loop of netstats. The output you can filter using grep (and discard STDERR).

while [ true ] ;  do netstat -tunp 2>/dev/null | grep -e 193.170.140.70 -e 193.170.140.80  ; done

Of course edit the IP addresses in the above example. This example is probing for TCP and UDP (-tu) connections, does not do DNS resolution (-n) and lists the processes (-p). If you think there's enough time to do DNS resolution, simply omit the -n option for netstat and put the domain for grep instead of the IP. You can stop the infinite loop by simply pressing CTRL+c

Hope this helps, Andreas

PS: I know, this is not the ideal, efficient or clean way to do it, but for a one-time search this should be sufficient.


You could also "break" the application via /etc/hosts addition of the FQDN that's being connected to. Give it some non-routable IP like 10.1.2.3 (or 127.0.0.1) and see what breaks.