You want to know what an unfamiliar process is doing.

To attach to a running process and trace system calls:

# strace -p pid

To trace network system calls:

# strace -e trace=network,read,write ...

The strace command lets you observe a given process in detail, printing its system calls as they occur. It expands all arguments, return values, and errors (if any) for the system calls, showing all information passed between the process and the kernel. (It can also trace signals.) This provides a very complete picture of what the process is doing.

Use the strace -p option to attach to and trace a process, identified by its process ID, say, 12345:

# strace -p 12345

To detach and stop tracing, just kill strace. Other than a small performance penalty, strace has no effect on the traced process.

Tracing all system calls for a process can produce overwhelming output, so you can select sets of interesting system calls to print. For monitoring network activity, the -e trace=network option is appropriate. Network sockets often use the generic read and write system calls as well, so trace those too:

$ strace -e trace=network,read,write finger katie@server.example.com
...
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sin_family=AF_INET, 
            sin_port=htons(79), 
            sin_addr=inet_addr("10.12.104.222")}, 16) = 0 
write(4, "katie", 5)                    = 5
write(4, "\r\n", 2)                     = 2
read(4, "Login: katie          \t\t\tName: K"..., 4096) = 244
read(4, "", 4096)                      = 0
...

The trace shows ...