Linux Live Forensics (Part 3): Investigating Network Activity
- DFIRHive
- Oct 15
- 5 min read
In Part 2, we explored what was happening inside the system — inspecting processes, identifying hidden activity, and connecting them to user behavior
Now, we’ll follow the trail outward. This part focuses on network activity and persistence — uncovering how processes communicate over the network and how attackers ensure they stay on the system even after a reboot.
We’ll look at:
Active network connections and listeners
Suspicious outbound communications
Persistence mechanisms like cron jobs and systemd services
And as always, we’ll do it all using only native Linux commands — no external tools needed.
Investigating Network Activity – Following the Connections
Identifying suspicious communications and tracing live network behavior
Why this matters?
When a process looks suspicious, our next question is always be — is it communicating with something it shouldn’t?
For that, Network activity gives us that answer. It exposes backdoors, data exfiltration paths, and connections to remote command servers.
a. Listing Network Connections and Listening Ports
Commands:
netstat -tulnp
It displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships, which are useful for getting a snapshot of the current network status.
OR,
ss
Similar to netstat, but faster and more detailed. It dumps socket statistics and shows active connections and listening ports.
Command | Output Focus | Usage Notes |
netstat | General active network connections | Detailed but less organized, slower |
netstat -tulnp | Listening TCP/UDP ports with PIDs | More detailed with process info, slower |
ss | Similar to netstat but more concise | Faster and more efficient than netstat |
ss -tulnp | Listening TCP/UDP sockets with PIDs | Fast, detailed with process info, preferred for modern use |
b. Display Network Interfaces and Configuration
Commands:
ifconfigConfigures network interfaces. While largely replaced by ip commands in modern systems, it's still useful for displaying information about network interfaces.
OR,
ip More powerful and versatile replacement for ifconfig. It can be used to configure interfaces, routing, and tunnels.
Command | Output Details | Usage Notes |
ip | Can show interfaces, addresses, routes, links, neighbors, and more | Base command with many subcommands; part of iproute2 |
ip a | Lists all interfaces with their IPv4/IPv6 addresses, MAC, and status | Commonly used to quickly view IP addresses and device info |
ifconfig | Shows active interfaces with IP and MAC addresses | Limited IPv6 support, deprecated in favor of ip tools |
(Unexpected interfaces like tun0 or veth0 might indicate VPN tunnels or container links)
c. View Routing Table
Commands:
routeDisplays or modifies the IP routing table. It helps understand how packets are routed through the network.
OR,
ip r(Unusual routes or gateways can suggest traffic redirection to an attacker-controlled host.)
d. Inspect ARP Cache (Local Network Mapping)
Command:
arp Displays and modifies the system's ARP (Address Resolution Protocol) table. It's useful for associating IP addresses with MAC addresses.
Command | Description |
arp | Displays ARP table, resolves IPs to hostnames if possible |
arp -n | Displays ARP table, does NOT resolve hostnames |
(Strange MAC addresses or unknown IPs may reveal rogue hosts or lateral movement.)
e. Identify Processes Using Network Connections
Command:
lsof
Lists open files, including network connections. It's useful for seeing which processes are connected to the network and what ports they're using.
Command | Purpose | Output Shows |
lsof | Lists all open files on the system | All open files (including regular files, directories, devices, sockets) for all processes |
lsof -i | Lists all open files related to network connections | Only network files (internet sockets: TCP, UDP, etc.), showing which processes are using network ports and sockets |
f. Capture Live Network Traffic
Commands:
tcpdump -nn -i eth0
tcpdump -nn -i eth0 -w capture.pcap
Captures packets in real time. Use short captures (10–30 seconds) to avoid system load. Saving them as .pcap files lets us analyze later with Wireshark.
Command | Purpose | Output Format |
tcpdump | Captures and displays packets. By default, resolves hostnames and port numbers, listens on the lowest numbered "up" interface . | Human-readable, host/port names shown |
tcpdump -nn -i eth0 | -nn: Don’t resolve hostnames or port numbers; display numeric IP and ports. -i eth0: Listen on interface eth0 specifically . | Numeric output of IPs and ports, live display |
tcpdump -nn -i eth0 -w capture.pcap | Same as above,plus: -w capture.pcap: Write raw packet data tocapture.pcapfor later analysis (e.g., in Wireshark), does not display to terminal . | Binary capture file; no live terminal display |
g. Monitor Bandwidth Usage
Command:
iftopIt provides a real-time display of bandwidth usage on an interface. This is handy for seeing which connections are using the most bandwidth.
h. Check Firewall Rules
Command:
iptables -L -n -v
It displays, sets up, and maintains IP packet filter rules, helps manage firewall rules, and monitors network traffic.
-L : List all rules in the selected chain (or all chains if none specified)
-n : Numeric output of addresses and ports (no DNS or service name resolution, faster output)
-v : Verbose output, shows extra information like packet and byte counters, interfaces, etc.
(Look for rules that open unusual ports or allow inbound traffic from unknown IPs.)
i. Test Connectivity and DNS Resolution
Commands:
ping <host>It tests connectivity to other network devices by sending ICMP echo request packets. It's useful for checking whether a host is reachable.
OR,
traceroute <host>Traces the path packets take to reach a destination. It helps identify where network delays or issues might be occurring.
OR,
dig <domain>Queries DNS servers for information about domain names.
OR,
nslookup <domain>Queries DNS servers to obtain domain name or IP address mapping.
OR,
whois <domain>Queries the WHOIS database for domain registration information. It's useful for gathering information about domain owners.
(These commands will help confirm whether suspicious IPs belong to legitimate services or malicious infrastructure.)
j. Scan for Open Ports (Optional)
Command:
nmap -sS 127.0.0.1
nmap -sV localhost
It scans networks to discover hosts and services. This is useful for identifying devices on the network and what ports they're using.
⚠️ Run cautiously — scans can be intrusive and may trigger alerts.
k. Testing Connectivity and File Transfers
wget
wget is a non-interactive network downloader primarily used to download files from the web.
Example command to download a file:
Seeing this commands in user history or scripts suggests files downloaded for legitimate or malicious purposes. Common download locations include /tmp, /var/tmp, and user home directories.
We should also check these paths for suspicious files or payloads. Also, the hidden .wget-hsts file in home directories can provide information about hosts accessed via wget.
curl
curl transfers data using various network protocols including HTTP, HTTPS, FTP, and more.
Example command to download a file:
curl -O http://example.com/file.shThis is a versatile tool often abused to download payloads or upload stolen data. It can be used in scripts or manually. Command logs and network analysis can reveal URLs accessed, and we should investigate temporary locations and related network activity to track possible malicious transfers.
netcat (nc)
netcat is a simple utility to create TCP or UDP connections, often called the "Swiss Army knife" of networking.
Example commands:
To listen on a port (waiting for incoming connections):
nc -lvp 4444To connect to a remote host on a specific port:
nc <IP> 4444To open a reverse shell (forward input/output to a shell):
nc -lvp 4444 -e /bin/bashnetcat is frequently used in attacks for setting up backdoors and obtaining remote shells. Detecting its usage in history or running processes is important. One should check for listener processes, open ports, and suspicious files in /tmp, /var/tmp, and /dev/shm Network logs and memory dumps may contain traces of its activity.
Recording the Findings
Commands:
mkdir network_logs
ss -tulnp > network_logs/sockets.txt
lsof -i > network_logs/connections.txt
ip a > network_logs/interfaces.txt
ip r > network_logs/routes.txt
arp -n > network_logs/arp_cache.txt
Documenting live output helps to compare states later or build a final incident report.
Thank You for reading! In the next part, we’ll move into persistence checks — figuring out what configurations or scheduled tasks might let malicious activity return after reboot.
Comments