Q. How do I track and monitor connection for eth1 public network interface under Redhat Enterprise Linux (RHEL) 5 server?

Advertisement

A.You can use netstat command or tcptrack command. Both command can show established TCP connection and provides the ability to monitor the same.

netstat command

netstat command prints information about the Linux networking subsystem. It also works under UNIX and *BSD oses. It can display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships etc.

netstat command to display established connections

Type the command as follows:
$ netstat -nat
Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:2208          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:52459           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:1521            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:31323         0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:2207          0.0.0.0:*               LISTEN     
tcp        0      0 192.168.1.100:59917     74.86.48.98:291         ESTABLISHED
tcp        0      0 127.0.0.1:3128          127.0.0.1:49413         TIME_WAIT  
tcp        0      0 127.0.1.1:54624         127.0.1.1:1521          ESTABLISHED
tcp        0      0 127.0.1.1:1521          127.0.1.1:54624         ESTABLISHED
tcp        0      0 192.168.1.100:55914     74.125.19.147:80        ESTABLISHED
tcp        0      0 127.0.0.1:3128          127.0.0.1:42471         TIME_WAIT  
tcp        0      0 192.168.1.100:56357     74.86.48.98:993         ESTABLISHED
tcp        0      0 192.168.1.100:56350     74.86.48.98:993         ESTABLISHED
tcp6       0      0 :::53                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN 

To display client / server ESTABLISHED connections only:
$ netstat -nat | grep 'ESTABLISHED'

tcptrack command

tcptrack command displays the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.

Install tcptrack

Redhat (RHEL) / Fedora / CentOS user, download tcptract here. For example download RHEL 64 bit version:
# cd /tmp/
# wget http://dag.wieers.com/rpm/packages/tcptrack/tcptrack-1.1.5-1.2.el5.rf.x86_64.rpm
# rpm -ivh tcptrack-1.1.5-1.2.el5.rf.x86_64.rpm

Debian / Ubuntu Linux user use apt-get as follows:
$ sudo apt-get install tcptrack

How do I use tcptract to monitor and track TCP connections ?

tcptrack requires only one parameter to run i.e. the name of an interface such as eth0, eth1 etc. Use the -i flag followed by an interface name that you want tcptrack to monitor.
# tcptrack -i eth0
# tcptrack -i eth1

Redhat Enterprise Linux 5 / CentOS 5 monitor and track TCP connections on the network (eth0)
(tcptrack in action)

You can just monitor TCP port 25 (SMTP)
# tcptrack -i eth0 port 25

The next example will only show web traffic monitoring on port 80:
# tcptrack -i eth1 port 80

tcptrack can also take a pcap filter expression as an argument. The format of this filter expression is the same as that of tcpdump and other libpcap-based sniffers. The following example will only show connections from host 76.11.22.12:
# tcptrack -i eth0 src or dst 76.11.22.12

For further option please refer to man page of netstat and tcptrack command.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

19 comments… add one
  • Unlocker Nov 18, 2010 @ 17:01

    You need to update libpcap before install tcptrack

    # yum install libpcap -y
    # wget http://dag.wieers.com/rpm/packages/tcptrack/tcptrack-1.1.5-1.2.el5.rf.$(uname -m).rpm
    # rpm -ivh tcptrack-1.1.5-1.2.el5.rf.$(uname -m).rpm
    # tcptrack -i eth0
    Done !!

  • Adarsh Feb 17, 2011 @ 5:35

    Hi,
    I need to know whether my Linux 4 is 64 bit or 32 bit. Can someone please help me out.

    • Sibe Apr 10, 2011 @ 7:39

      You can use ‘uname’ command.

      uname -i will print your machine arch; i386 means 32bit, x86_64 for 64 bit arch.
      uname -r prints your kernel version, if you have a 64bit kernel version running, you’ll notice it.

  • Catalin Sep 25, 2011 @ 20:11

    I got error on Fedora 15 when
    # tcptrack -i eth0 src or dst xxx.xxx.xxx..xxx
    where xxx.xxx.xxx..xxx is one ip the error is
    pcap_compile: syntax error
    I check libpcap seam to be ok :
    Package 14:libpcap-1.1.1-3.fc15.i686 already installed and latest version
    Any idea ?

  • vikas kumar Oct 2, 2011 @ 13:58

    Thanks, i have installed successfully package tcptrack and now i monitor my network.

  • tudor Nov 22, 2011 @ 9:11

    Thanks all , good idea .. I also installed successfully

  • yak Nov 10, 2012 @ 23:23

    RedHat/CentOS/etc users. Go to http://pkgs.repoforge.org/tcptrack and find the name of the package most suitable for your system. For example, for me on an Amazon Linux instance, tcptrack-1.4.0-1.el6.rf.x86_64.rpm was most appropriate.

  • steve Mar 13, 2015 @ 17:08

    I installed 1.4.0 for 64bit.
    If I try to specify any type of filter I get this:

    [root@evest-psmtp-01 ~]# tcptrack -i eth0 src 10.190.115.192
    pcap_compile:

    If I just do interface as a whole, it works. I’m on centos 6.6 64bit.

    • Roque Mar 24, 2015 @ 19:35

      i have the same setup as Steve (post #18) and the same result.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.