Flags, examples, and output format reference.
| Flag | Argument | Description | |
|---|---|---|---|
| ๐จ | -c | Force-enable ANSI color output. Auto-detected when stdout is a tty; NO_COLOR=1 disables it. | |
| โฑ๏ธ | -t | Show elapsed duration when a connection closes. Appends timing to the close (ร) line. | |
| ๐ | -U | Show TCP state update events โ ESTABLISHED, FIN_WAIT, TIME_WAIT transitions. Shown with a โ marker. | |
| ๐ค | -u | Print owning user of each connection as <username>. Root in red, other users in green. | |
| ๐ | -r | Perform reverse DNS lookup on remote addresses. Replaces raw IPs with hostnames where available. | |
| ๐ | -Q | Suppress error messages (e.g. inode lookup failures). Useful for long-running background monitoring. | |
| 4๏ธโฃ | -4 | Show IPv4 connections only. Mutually exclusive with -6. | |
| 6๏ธโฃ | -6 | Show IPv6 connections only. Mutually exclusive with -4. | |
| ๐ | -o | FILE | Append output to FILE instead of stdout. Colors are disabled for file output unless -c is also set. |
| ๐ฏ | -p | PID[,PID,...] | Only show connections owned by the given PID(s). Accepts a comma-separated list. |
Each connection event produces one line. Symbols indicate direction and state. With -t, close lines include elapsed duration.
-u
-U
-t
The most useful default invocation. Watch every TCP/UDP connection machine-wide with colors, close timing, and user context.
$ sudo proc-trace-net -ctu 1234 sshd <root> TCP 10.0.2.15:22 โ 203.0.113.7:41002 2341 systemd-r <root> UDP 10.0.2.15:46012 โ 8.8.8.8:53 3892 curl <rick> TCP 10.0.2.15:54321 โ 93.184.216.34:443 3892 curl <rick> TCP 10.0.2.15:54321 ร 93.184.216.34:443 0.342s
Pass a command after the flags to trace only its network connections. proc-trace-net will exit when the command completes.
$ sudo proc-trace-net -ct curl https://github.com 9812 curl TCP 10.0.2.15:48201 โ 140.82.114.4:443 9812 curl TCP 10.0.2.15:48201 ร 140.82.114.4:443 0.218s
The -t flag appends connection duration to close events. Spot hung or unusually long connections at a glance.
$ sudo proc-trace-net -ct 5501 nginx TCP 10.0.2.15:80 โ 192.168.1.5:52341 5501 nginx TCP 10.0.2.15:80 ร 192.168.1.5:52341 0.004s 7210 postgres TCP 10.0.2.15:5432 โ 127.0.0.1:41092 7210 postgres TCP 10.0.2.15:5432 ร 127.0.0.1:41092 142.001s
The -U flag shows every TCP state transition โ useful for debugging connection teardown issues or TIME_WAIT accumulation.
$ sudo proc-trace-net -cU 3892 curl TCP 10.0.2.15:54321 โ 93.184.216.34:443 3892 curl TCP 10.0.2.15:54321 โ 93.184.216.34:443 ESTABLISHED 3892 curl TCP 10.0.2.15:54321 โ 93.184.216.34:443 FIN_WAIT 3892 curl TCP 10.0.2.15:54321 ร 93.184.216.34:443
Use -p with a comma-separated list of PIDs to monitor only specific processes. Combine with pgrep for dynamic PID lookup.
$ sudo proc-trace-net -ct -p $(pgrep nginx | paste -sd,)
Run in the background, suppressing all error noise, writing a connection log for later analysis.
$ sudo proc-trace-net -Qto /var/log/connections.log & [1] 9981
Filter to only IPv4 connections. Useful to reduce noise in dual-stack environments.
$ sudo proc-trace-net -4 -ct
The -r flag resolves remote IPs to hostnames. Adds latency but makes output much more readable for auditing.
$ sudo proc-trace-net -ctr 3892 curl TCP 10.0.2.15:54321 โ server-93-184-216-34.example.com:443 2341 systemd-r UDP 10.0.2.15:46012 โ dns.google:53