How found suspect connection in a netstat output?

TCP Established State

The 'ESTABLISHED' means the TCP connection is established, ie the handshake has been performed on TCP/IP level. This is needed before the ssh process sees any data at all. Theoretically, the connection could be quite long in ESTABLISHED mode without sending any data depending on the timeouts set (on TCP level and/or sshd config). Expect login to occur after it.

iptraf

To look into it more, use 'iptraf' for monitoring the amount of traffic, or see /var/log/auth.log (at least, on a Debian system) for seeing who successfully logged on.

Using lsof

The lsof -i command lists all open files associated with Internet connections. It is similar in format to netstat -a -p.

lsof -i
lsof –i :22
lsof -i @linxsol.com #to check which hosts

To list information about TCP sessions on your server lsof -i tcp@hostname:22

To display all open IPv4 network files in use by the process whose PID is 1234, use:

lsof -i 4 -a -p 1234

lsof will then output all matching connections. The above examples will list connections listening or established on port 22

Using netstat

 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

 netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

 netstat -ntu | grep -v TIME_WAIT | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

 netstat -an | grep :80 | awk '{print $5}' | cut -f1 -d":" | sort | uniq -c | sort -n

I hope that helps.