Determine originating process for outbound traffic

The netstat command can only tell you which connections are currently open, but not how much traffic each has sent and received. To find out which connections are transferring most of the data, you would need to use other tools which could for example be iftop or tcpdump.

What you do next depends a lot on the lifetime of each connection and which end established the connection. If your end is the server, then you should be able to identify the listening socket belonging to the server process.

If it is indeed an httpd process (as you seem to imply in your question), then your web server access log is the place to look. One caveat to keep in mind is that each request is only logged once the transfer for that request has completed. This can make a significant difference if you are serving files, which are many MB in size.

If your end happens to be the client, then you won't see listening sockets, but in case the connections are long lived, you can find the connections and the corresponding process using netstat, once you have confirmed which connection is consuming bandwidth.

Should the investigation described above lead you to find that most traffic happens on short lived connections established from your end, then netstat isn't sufficient to identify which process is responsible. That particular scenario has been covered in an older question.


You can try to use lsof to check which processes are using the network connections.

List al network connections: lsof -i

List all the TCP or UDP connections: lsof -i tcp; lsof -i udp;

Processes listening on a particular port: lsof -i :80

List network files which are being used by a process: lsof -i -a -p 234

List the network files opened by the processes starting with ssh: lsof -i -a -c ssh


nethogs reports bandwidth used per process, updated once per second.


netstat -nlpt (must run as sudo or root) will return the pid/name of the process responsible for a connection. Since you know the IP you should be able to simply do

sudo netstat -nlpt | grep xx.xx.xx.xx

and see which process it is. My skill is more in windows so my syntax could be a bit off. I looked up the switches for linux and found this as #5 here.


This was an interesting question, and it looks like the kernel does not store counters for per-process network throughput utilization by default, but a kernel module netatop[1] adds this capability, which then makes it available for logging and reporting using atop[2].


[1]: See http://www.atoptool.nl/netatop.php
[2]: See http://www.atoptool.nl/