Port monitoring or real time netstat

[lostowl]

The Setup:
I have a CentOS server I just inherited and we don't have adequate documentation for how it was configured.

The problem:
My security officer is detecting irregular outbound connections over SSH from the server to the previous vendor, but we don't know where to start to find out what application on the server is configured for this.

The idea:
Is there some way to monitor for outbound connections, and when an outbound SSH connection opens, trigger a "netstat -p | grep ssh" command to find out what process is doing it? That way we could go to the config files for that application and change the config?

Or, is there a realtime command to monitor outbound connections and their process, sort of like a combination of wireshark and netstat that I can use to dump a log to go over later?

The server is just a web server serving OpenCMS content. It has a few other things to support this. It has Nagios installed but we don't know who to configure it to monitor what we are looking for (not much of a linux shop here_.

Any suggestions would be appreciated.

[hans51]

my security advice
clean up entire drive
make a clean fresh install you know
that is the only way to guarantee security
else you may watch any number of time until all time sensitive earlier actions become active - what you have is some kind of potential time bomb.

Linux fresh install is easy and would be my own choice of action in case of a preinstalled server with unknown configuration and may be limited trust for the vendor(previous user).

if you really want just to monitor
may be ntop is a traffic monitoring tool with a wide range of graphical output easy to read
if properly setup, the output then is in a browser at
Open Source and Linux Forums
on the install server