0

Here are the netstat -tnp output captures from my Ubuntu 22.04 workstation. Why are there outbound NetworkManager connections established from time to time? What are they doing?

The IP addresses involved have a domain name of blackcat.canonical.com.

I am quite certain that I have never asked the NetworkManager on my workstation to initiate any outbound communication with blackcat.canonical.com. My firewall definitely blocks all inbound traffic from unknown sources. Is this some kind of statistic-gathering logic implanted in the Ubuntu NetworkManager?

open_ports_20240622_035533.log:tcp        0      1 192.168.0.107:55458     185.125.190.17:80       SYN_SENT    971/NetworkManager  
open_ports_20240622_040033.log:tcp        0     87 192.168.0.107:52642     91.189.91.49:80         ESTABLISHED 971/NetworkManager  
open_ports_20240622_040533.log:tcp        0     87 192.168.0.107:59904     185.125.190.98:80       ESTABLISHED 971/NetworkManager  
open_ports_20240622_130532.log:tcp        0      1 192.168.0.107:51542     185.125.190.97:80       SYN_SENT    971/NetworkManager  
open_ports_20240622_131033.log:tcp        0     87 192.168.0.107:53868     185.125.190.48:80       ESTABLISHED 971/NetworkManager  
open_ports_20240622_224533.log:tcp        0     87 192.168.0.107:58776     185.125.190.48:80       ESTABLISHED 971/NetworkManager

The following is the bash script that I used to gather netstat output every thirty seconds. You are welcome to modify the "myusername" and try out.

#!/bin/bash

# Specify the user to write the log files
user="myname"

prev_ips_file="/tmp/prev_ips.txt"
if [ ! -f $prev_ips_file ]; then
    touch $prev_ips_file
fi

while true; do
    # Create a directory to store log files as the specified user
    log_dir="logs_$(date +'%Y%m%d')"
    sudo -u $user mkdir -p "$log_dir"

    # Initialize a counter
    count=0

    # Loop to log netstat output every minute for 24 hours
    while [ $count -lt 2880 ]; do
        log_file="$log_dir/open_ports_$(date +'%Y%m%d_%H%M%S').log"

        # Get current list of netstat entries and IP addresses
        current_netstat=$(netstat -tnp)
        current_ips=$(echo "$current_netstat" | awk '{print $5}' | cut -d: -f1 | sort | uniq)

        # Save current IPs to a temporary file
        echo "$current_ips" > /tmp/current_ips.txt

        # Compare with previous IP addresses and log only new ones
        comm -13 $prev_ips_file /tmp/current_ips.txt > /tmp/new_ips.txt
        new_ips=$(cat /tmp/new_ips.txt)

        if [ -s /tmp/new_ips.txt ]; then
            while IFS= read -r ip; do
                echo "$current_netstat" | grep -w "$ip" | sudo -u $user tee -a "$log_file" > /dev/null
            done < /tmp/new_ips.txt
        else
            rm -f "$log_file"
        fi

        # Update the previous IPs file
        mv /tmp/current_ips.txt $prev_ips_file

        sleep 30
        count=$((count + 1))
    done

    # Optionally, compress the log directory after 24 hours as the specified user
    sudo -u $user tar -czf "$log_dir.tar.gz" "$log_dir"
    sudo -u $user rm -r "$log_dir"
done
Improve this question
4
  • How do you get notice there are necessary updates to your OS if the communications are blocked?
    – David
    Commented Jun 24 at 15:43
  • @David Shouldn't that be the functions and responsibilities of the Update Manager instead of the Network Manager?
    – IpSmile
    Commented Jun 25 at 16:34
  • How will the Update Manager get to the Ubuntu updates if the network manager will not let it communicate?
    – David
    Commented Jun 25 at 16:37
  • @David The Update Manager defaults to Ubuntu web/FTP sites for software sources for all of the update related activities. These activities are independent of whether or not the Network Manager needs to communicate with canonical.com. The Network Manager handles network configurations for each communication interface; then entire communication stacks are built-in in the Linux system already, and has nothing to do with canonical.com, correct configuration is essential for establishing any TCP/UDP connections. Sending messages to canonical.com is not a mandate for any networking activities.
    – IpSmile
    Commented 13 hours ago

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .