2015-10-16

[SOLVED]monitor network connections

9:49 13/06/2015
###############
++ss command: It dump socket (network connection) statistics such as all TCP / UDP connections, established connection per protocol (e.g., display all established ssh connections), display all the tcp sockets in various state such as ESTABLISHED or FIN-WAIT-1 and so on.

++netstat command: It can display network connections, routing tables, interfaces and much more.

++tcptrack and iftop commands: Displays information about TCP connections it sees on a network interface and display bandwidth usage on an interface by host respectively.
http://www.cyberciti.biz/faq/check-network-connection-linux/

#
#
#

SOURCE: http://www.binarytides.com/linux-ss-command/

ss - socket statistics:
#
1. List all connections
#######################
The simplest command is to list out all connections.
#ss | more
#ss | grep <port>
#ss | grep <port> | wc -l #Count number of connections
Ex:
ss | less | grep 6383 | wc -l
Or:
netstat -ant | grep 6383 | awk '{print $6}' | sort | uniq -c | sort -n


2. Filter out tcp,udp or unix connections
##########################################
To view only tcp or udp or unix connections use the t, u or x option.
#ss -t
OR:
#ss -A tcp

List all udp connections
#ss -ua
#ss -a -A udp


3. Do not resolve hostname
##########################
To get the output faster, use the "n" option to prevent ss from resolving ip addresses to hostnames. But this will prevent resolution of port numbers as well.
#ss -nt


4. Show only listening sockets
##############################
This will list out all the listening sockets. For example apache web server opens a socket connection on port 80 to listen for incoming connections.
#ss -ltn

To list out all listening udp connections replace t by u
#ss -lun


5. Print process name and pid
#############################
To print out the process name/pid which owns the connection use the p option
#ss -ltp


6. Print summary statistics
############################
The s option prints out the statistics.
#ss -s


7. Display timer information
############################
With the '-o' option, the time information of each connection would be displayed. The timer information tells how long with
#ss -tn -o


8. Display only IPv4 or IPv6 socket connections
###############################################
To display only IPv4 socket connections use the '-f inet' or '-4' option.
#ss -tl -f inet

To display only IPv6 connections use the '-f inet6' or '-6' option.
#ss -tl6


9. Filtering connections by tcp state
#####################################
#ss [ OPTIONS ] [ STATE-FILTER ] [ ADDRESS-FILTER ]

#ss -t4 state established

Display sockets with state time-wait
#ss -t4 state time-wait


#
#
The state can be either of the following
########################################
1. established
2. syn-sent
3. syn-recv
4. fin-wait-1
5. fin-wait-2
6. time-wait
7. closed
8. close-wait
9. last-ack
10. closing
11. all - All of the above states
12. connected - All the states except for listen and closed
13. synchronized - All the connected states except for syn-sent
14. bucket - Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
15. big - Opposite to bucket state.

#watch -n 1 "ss -t4 state syn-sent"


10. Filter connections by address and port number
#################################################
Display all socket connections with source or destination port of ssh.
#ss -at '( dport = :ssh or sport = :ssh )'

Sockets with destination port 443 or 80
#ss -nt '( dst :443 or dst :80 )'

The following syntax would also work
#ss -nt dst :443 or dst :80

More examples
#############
# Filter by address
$ ss -nt dst 74.125.236.178

# CIDR notation is also supported
$ ss -nt dst 74.125.236.178/16

# Address and Port combined
$ ss -nt dst 74.125.236.178:80


Ports can also be filtered with dport/sport options. Port numbers must be prefixed with a ":".
#ss -nt dport = :80
The above is same as > ss -nt dst :80


Some more examples of filtering
###############################
# source address is 127.0.0.1 and source port is greater than 5000
$ ss -nt src 127.0.0.1 sport gt :5000

# local smtp (port 25) sockets
$ sudo ss -ntlp sport eq :smtp

# port numbers greater than 25
$ sudo ss -nt sport gt :1024

# sockets with remote ports less than 100
$ sudo ss -nt dport \< :100

# connections to remote port 80
$ sudo ss -nt state connected dport = :80


The following operators are supported when comparing port numbers
##################################################################
<= or le : Less than or equal to port
>= or ge : Greater than or equal to port
== or eq : Equal to port
!= or ne : Not equal to port
< or gt : Less than to port
> or lt : Greater than to port

No comments:

Post a Comment