Redhat Enterprise Linux 5 / CentOS 5 monitor and track TCP connections on the network (eth0)

by on August 2, 2007 · 17 comments· LAST UPDATED September 5, 2007

in , ,

Q. How do I track and monitor connection for eth1 public network interface under Redhat Enterprise Linux (RHEL) 5 server?

A.You can use netstat command or tcptrack command. Both command can show established TCP connection and provides the ability to monitor the same.

netstat command

netstat command prints information about the Linux networking subsystem. It also works under UNIX and *BSD oses. It can display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships etc.

netstat command to display established connections

Type the command as follows:
$ netstat -nat
Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:52459           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1521            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:31323         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.100:59917     74.86.48.98:291         ESTABLISHED
tcp        0      0 127.0.0.1:3128          127.0.0.1:49413         TIME_WAIT
tcp        0      0 127.0.1.1:54624         127.0.1.1:1521          ESTABLISHED
tcp        0      0 127.0.1.1:1521          127.0.1.1:54624         ESTABLISHED
tcp        0      0 192.168.1.100:55914     74.125.19.147:80        ESTABLISHED
tcp        0      0 127.0.0.1:3128          127.0.0.1:42471         TIME_WAIT
tcp        0      0 192.168.1.100:56357     74.86.48.98:993         ESTABLISHED
tcp        0      0 192.168.1.100:56350     74.86.48.98:993         ESTABLISHED
tcp6       0      0 :::53                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN 

To display client / server ESTABLISHED connections only:
$ netstat -nat | grep 'ESTABLISHED'

tcptrack command

tcptrack command displays the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.

Install tcptrack

Redhat (RHEL) / Fedora / CentOS user, download tcptract here. For example download RHEL 64 bit version:
# cd /tmp/
# wget http://dag.wieers.com/rpm/packages/tcptrack/tcptrack-1.1.5-1.2.el5.rf.x86_64.rpm
# rpm -ivh tcptrack-1.1.5-1.2.el5.rf.x86_64.rpm

Debian / Ubuntu Linux user use apt-get as follows:
$ sudo apt-get install tcptrack

How do I use tcptract to monitor and track TCP connections ?

tcptrack requires only one parameter to run i.e. the name of an interface such as eth0, eth1 etc. Use the -i flag followed by an interface name that you want tcptrack to monitor.
# tcptrack -i eth0
# tcptrack -i eth1

Redhat Enterprise Linux 5 / CentOS 5 monitor and track TCP connections on the network (eth0)
(tcptrack in action)

You can just monitor TCP port 25 (SMTP)
# tcptrack -i eth0 port 25

The next example will only show web traffic monitoring on port 80:
# tcptrack -i eth1 port 80

tcptrack can also take a pcap filter expression as an argument. The format of this filter expression is the same as that of tcpdump and other libpcap-based sniffers. The following example will only show connections from host 76.11.22.12:
# tcptrack -i eth0 src or dst 76.11.22.12

For further option please refer to man page of netstat and tcptrack command.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 17 comments… read them below or add one }

1 Jeferson Passos November 14, 2007 at 1:44 pm

I am trying to install tcptrack in my linux fedora.
I did:
# yum install tcptrack.x86_64
The system give me the msg:
Error: Missing Dependency: libpcap.so.0.8.3()(64bit) is needed by package tcptrack

Then I tried to install libpcap packet with the command:
# yum install libpcap.x86_64
The system give me the msg:
Package libpcap – 14:0.9.7-1.fc7.x86_64 is already installed.
Nothing to do

Can anyone help me ??
Thanks
Jeferson Passos

Reply

2 Oleg Frayman July 21, 2008 at 8:07 pm

try yum –whatprovides libpcap.so.0.8.3, you might need to install libcap.i386 or libcap-devel..

Reply

3 Amit February 23, 2009 at 7:14 am

Hi, I want to watch my computer IP & Network.Which DOS command I should use to FIND out that whether someone is connected to my computer or not in intrusion way or not. Tell me the method to preventing un-authorised access to my computer??

Reply

4 mostofa September 15, 2009 at 1:03 pm

thanks for ur information now i monitor my network

Reply

5 Ruel Joson October 11, 2009 at 10:58 am

I encounter Failed dependencies when trying to rpm the package

# rpm -ivh tcptrack-1.1.5-1.2.el5.rf.x86_64.rpm
warning: tcptrack-1.1.5-1.2.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
error: Failed dependencies:
libc.so.6()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libc.so.6(GLIBC_2.2.5)(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libc.so.6(GLIBC_2.4)(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libgcc_s.so.1()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libgcc_s.so.1(GCC_3.0)(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libm.so.6()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libncurses.so.5()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libnsl.so.1()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libpcap.so.0.9.4()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libpthread.so.0()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libpthread.so.0(GLIBC_2.2.5)(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libpthread.so.0(GLIBC_2.3.2)(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
librt.so.1()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libstdc++.so.6()(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libstdc++.so.6(CXXABI_1.3)(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64
libstdc++.so.6(GLIBCXX_3.4)(64bit) is needed by tcptrack-1.1.5-1.2.el5.rf.x86_64

Please help. Thanks

Reply

6 Claudio November 26, 2009 at 3:03 pm

If you got errors on dependencies probably you have a 32bit system so follow these steps:
# cd /tmp/
# wget http://dag.wieers.com/rpm/packages/tcptrack/tcptrack-1.1.5-1.2.el5.rf.i386.rpm
# rpm -hiv tcptrack-1.1.5-1.2.el5.rf.i386.rpm
Have a nice day!

Reply

7 Srikanth March 3, 2010 at 2:11 am

buddy,
Appreciate it…. it was very useful in finding why applet was not respondig after it uploaded certain MB.

Reply

8 Somaikeres March 11, 2010 at 1:19 pm

running 32-bit CentOS 4 (I guess…) and when trying to install tcptrack I get this shit:
[root@localhost tmp]# rpm -hiv tcptrack-1.1.5-1.2.el5.rf.i386.rpm
warning: tcptrack-1.1.5-1.2.el5.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 6b8d79e6
error: Failed dependencies:
libc.so.6(GLIBC_2.4) is needed by tcptrack-1.1.5-1.2.el5.rf.i386
libpcap.so.0.9.4 is needed by tcptrack-1.1.5-1.2.el5.rf.i386
rtld(GNU_HASH) is needed by tcptrack-1.1.5-1.2.el5.rf.i386

Hulp…

Reply

9 Ruel Joson April 11, 2010 at 7:35 am

i downloaded the package and install it, but when i try to run the tcptrack i encounter this:

tcptrack: error while loading shared libraries: libpcap.so.0.8.3: cannot open shared object file: No such file or directory

please help. thank you!

Reply

10 muchikon September 10, 2010 at 1:53 pm

Exelent tool, great info
Thats why I love debian, cause is very simple to install things.

Reply

11 Unlocker November 18, 2010 at 5:01 pm

You need to update libpcap before install tcptrack

# yum install libpcap -y
# wget http://dag.wieers.com/rpm/packages/tcptrack/tcptrack-1.1.5-1.2.el5.rf.$(uname -m).rpm
# rpm -ivh tcptrack-1.1.5-1.2.el5.rf.$(uname -m).rpm
# tcptrack -i eth0
Done !!

Reply

12 Adarsh February 17, 2011 at 5:35 am

Hi,
I need to know whether my Linux 4 is 64 bit or 32 bit. Can someone please help me out.

Reply

13 Sibe April 10, 2011 at 7:39 am

You can use ‘uname’ command.

uname -i will print your machine arch; i386 means 32bit, x86_64 for 64 bit arch.
uname -r prints your kernel version, if you have a 64bit kernel version running, you’ll notice it.

Reply

14 Catalin September 25, 2011 at 8:11 pm

I got error on Fedora 15 when
# tcptrack -i eth0 src or dst xxx.xxx.xxx..xxx
where xxx.xxx.xxx..xxx is one ip the error is
pcap_compile: syntax error
I check libpcap seam to be ok :
Package 14:libpcap-1.1.1-3.fc15.i686 already installed and latest version
Any idea ?

Reply

15 vikas kumar October 2, 2011 at 1:58 pm

Thanks, i have installed successfully package tcptrack and now i monitor my network.

Reply

16 tudor November 22, 2011 at 9:11 am

Thanks all , good idea .. I also installed successfully

Reply

17 yak November 10, 2012 at 11:23 pm

RedHat/CentOS/etc users. Go to http://pkgs.repoforge.org/tcptrack and find the name of the package most suitable for your system. For example, for me on an Amazon Linux instance, tcptrack-1.4.0-1.el6.rf.x86_64.rpm was most appropriate.

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous Faq:

Next Faq: