Comments on: Get Detailed Information About Particular IP address Connections Using netstat Command

By: maedox

maedox — Mon, 05 Dec 2011 09:35:16 +0000

watch -n 1 -d ‘netstat -atulpn -o 2 | egrep “LISTEN|ESTABLISHED”‘

By: kiran

kiran — Mon, 14 Nov 2011 10:43:17 +0000

netstat -atulpn -o 2
DO u think that will help

By: kiran

kiran — Mon, 14 Nov 2011 10:38:21 +0000

HI
how can I get the netstat to run like top command which give the live connections statistics.
Do we have any script which makes this working or any inbuild switch in netstat can do it?

any idea?

/kiran

By: mb

mb — Sun, 03 Jul 2011 12:32:17 +0000

netstat –interfaces eth0 -> netstat –interfaces=eth0

By: Juda

Juda — Sat, 23 Apr 2011 10:52:43 +0000

This is very good article , i reallay like to read it,
please note that you can reduce the timeout of TCP_WAIT2 it will reduce the amont of open conneciton on the server significaly

By: Pan

Pan — Thu, 12 Aug 2010 12:58:08 +0000

we can use below also: netstat -atun | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

By: astha goyal

astha goyal — Thu, 25 Feb 2010 04:12:41 +0000

can we block packets in c++???
if yes,then how???

By: Allyson

Allyson — Sun, 30 Aug 2009 20:11:38 +0000

Great job! I just have one small question. Is there a certian netstat command that I can use for to find an IP address?

By: muthu

muthu — Fri, 03 Jul 2009 06:23:02 +0000

nice article

By: dj

dj — Wed, 01 Jul 2009 16:41:20 +0000

Get list of unique IP address. Add NR > 2 to awk and that’ll eliminate the netstat titles.
Like: netstat -nat | awk ‘NR>2 { print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq

By: Phil F

Phil F — Tue, 16 Jun 2009 11:57:40 +0000

One note about “grep {IP-address}”: The dot (.) is a wildcard to grep, so “grep 1.2.1.5″ would also match 132.135.x.x.

I generally use fgrep when I don’t want any regex matching. You could also escape the dots with a backslash, or use grep -F.

By: Gaurav

Gaurav — Tue, 16 Dec 2008 13:34:43 +0000

One small correction for the command
netstat –interfaces=eth0 ( original )
netstat –interfaces eth0 ( suggested )

For the copy paste user only .. others can read syntax.

By: steven hulme

steven hulme — Sat, 30 Aug 2008 08:22:39 +0000

My netstat box will only open for 5 seconds and will not accept anytype of command ?.

By: Dan

Dan — Wed, 25 Jun 2008 11:17:55 +0000

What I've forgot to mention in my previous post is the following, this command is useful if you are running a Linux box at home or at the office, but has some problems when run on a server, especially if it's a web server, Apache or other, and if on it there are websites that have dynamically generated content via PHP, MySQL, PostgreSQL, etc. That's because when having such a website there are multiple connections initiated by the "website" (via the web server software) to the database (whatever it might be) and to the PHP processor, all of this from a simple page being viewed by someone. This means that a web page might generate ~20-80 connections from one IP to the server. Hope I don't get too cryptic in this but there's some explaining to do. These multiple connections generated by the access to one web page remain in a TIME_WAIT state usually for 60 seconds, value established on most Linux distros by the /proc/sys/net/ipv4/tcp_fin_timeout entry. This means that one page generates 20-80 connections, which remain active (by netstat they are shown in a TIME_WAIT state) for 60 seconds. Now picture accessing 5-6 pages in such a website (say it's a shopping website and your searching through categories of products), this would generate well in excess of 120-480 connections from the same IP address, thus appearing that you are being attacked, flooded, etc. If you have a software running on the server to prevent flooding, it might be "smart" enough to figure it out on it's own that it isn't attacked. But if you as an individual are running the command, then you should take notice of the things said here, for it might fool you into thinking something else than what's actually taking place. One solution would be to add to the command the option for:


sed -n -e '/ESTABLISHED/p'

Which would scan only for connections that are in an ESTABLISHED state. A high count here would probably mean you should start taking action. And the entire command which scans for established connections:


netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p’ | sed -n -e '/ESTABLISHED/p' | sed ’s/::ffff://’ | cut -d: -f1 | sort | uniq -c | sort -n

By: Dan

Dan — Wed, 25 Jun 2008 10:11:28 +0000

To add to what you've mentioned above, in order to check for DoS attacks, there may be addresses in the output of netstat that might look something like:


:::*

So even if what I'm suggesting means writing some more code, it does the trick a little better if you ask me. So here it goes, the command for finding if you are under DoS attacks:


netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n

By: kotnik

kotnik — Thu, 21 Feb 2008 17:48:36 +0000

There’s some mean stuff here.

Thanks for gathering it ;)