TCPview, and netactview. They do the same thing, but one does it in Windows, the other does it in Linux.
Going through firewall logs Friday I found a box trying to hit Akamai Technologies' servers faster than once a second. Like 2 or 3 a second. The box lives on a part of the network with restricted outside access.
There was so much chatter in the logs I was looking at, it looked like it was the only box. The reason it caught my eye to start with was they all had Deny statements with them. Not knowing what the box was doing, we pulled it off the network. There have been infected user boxes before, from surfing sites that were a no no.
The other Network Engineer / Windows Admin today tossed TCPview on the box, it's basically a gui for netstat. Constantly updates in the window, and uses color codes too. However the box had been swept, put back on the network and updated.
I looked at the logs, thinking maybe the issue was a software update (as far as we know the sweep came back clean, the person who did the the sweep is off today), I saw several other boxes. Joking the other guy and I walked back to the area saying it's probably Adobe. Toss TCPview on it, and low, it is adobe updater.
I liked the tool. So I looked, turns out that netactview does the same thing in Linux. Very Nice.
I could do the same thing with netstat, but I hate watching text scroll by.