I'm operating a couple of server daemons that use udp to communicate with large number of clients. How do I find and list out all the active udp "connections" that are talking to the servers in order to estimate the num of active clients that are connected to the server daemons? I couldn't think of an easy way to do this besides sniffing the packets with tshark or tcpdump and look at the source ip of udp packets going to the server daemons and yes, I know UDP is connectionless and stateless protocol.
Asked
Active
Viewed 3.7k times
11
-
Since there's no state/status/anything for UDP connections nowhere, probably the only way is logging some info for each packet (sent or received). Maybe redirect it with iptables to some daemon that'll log IPs or keep statistics or something. – Sandman4 Dec 04 '11 at 19:20
-
Define "*active* udp connection". – Sandman4 Dec 04 '11 at 19:22
-
@Sandman4 maybe he wants to list all requests to UDP sockets. – Sachin Divekar Dec 04 '11 at 19:23
-
What exactly are you trying to do? It is difficult to track down UDP requests without a sniffer, so some context is appreciated. – Rilindo Dec 04 '11 at 20:27
-
Can you post the output of `sudo lsof -iUDP` – Pieter Temmerman Dec 04 '11 at 23:45
5 Answers
10
UDP is a stateless protocol - so, no states.
To see what's listening for UDP:
netstat -lnpu
The equivalent command on modern linux:
ss -lnpu
Sam Watkins
- 272
- 3
- 7
thinice
- 4,676
- 20
- 38
6
You could log every UDP connection using iptables:
iptables -A INPUT -p udp -j LOG --log-prefix "udp connection: "
Perhaps you might want to limit it to some ports. Check documentation here or, preferably, man iptables.
Belmin Fernandez
- 10,629
- 26
- 84
- 145
4
As others have mentioned UDP is connection-less so state isn't tracked in the standard locations you might look.
One method you could use is simply setup some simple netfilter rules that use the --state option. This will force netfilter to track state related to UDP. Once you setup rules then you can use a tool like conntrack to look at the netfilter state table. Here for example is what one of my system looks like. You can see there are a couple systems that are frequently communicating to udp/1194 (OpenVPN).
root@enterprise:# conntrack -L -p udp
udp 17 173 src=192.168.32.1 dst=192.168.32.10 sport=41179 dport=1194 packets=2072 bytes=188058 src=192.168.32.10 dst=192.168.32.1 sport=1194 dport=41179 packets=2081 bytes=201185 [ASSURED] mark=0 secmark=0 use=1
udp 17 175 src=192.168.32.26 dst=192.168.32.10 sport=57440 dport=1194 packets=806767 bytes=154637738 src=192.168.32.10 dst=192.168.32.26 sport=1194 dport=57440 packets=1265893 bytes=1588040830 [ASSURED] mark=0 secmark=0 use=1
Your netfilter rules could be as simple as this.
/sbin/iptables -t filter -A INPUT -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A FORWARD -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -m state --state NEW\,ESTABLISHED -j ACCEPT
Zoredache
- 128,755
- 40
- 271
- 413
3
On Linux, assuming that the iproute2 is installed, you can run the ss command to pull udp sockets like so:
ss -u
Or all udp sockets, with the associated process:
[root@kerberos ks]# ss -u -pa
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:kerberos *:* users:(("krb5kdc",1935,7))
UNCONN 0 0 *:mdns *:* users:(("avahi-daemon",1613,13))
UNCONN 0 0 *:rquotad *:* users:(("rpc.rquotad",1872,3))
UNCONN 0 0 *:kerberos-iv *:* users:(("krb5kdc",1935,6))
UNCONN 0 0 *:sunrpc *:* users:(("rpcbind",1569,6))
UNCONN 0 0 *:ipp *:* users:(("cupsd",1687,9))
UNCONN 0 0 192.168.15.100:ntp *:* users:(("ntpd",1976,23))
UNCONN 0 0 172.16.15.1:ntp *:* users:(("ntpd",1976,22))
UNCONN 0 0 127.0.0.1:ntp *:* users:(("ntpd",1976,21))
UNCONN 0 0 *:ntp *:* users:(("ntpd",1976,16))
UNCONN 0 0 *:892 *:* users:(("rpc.mountd",1888,7))
UNCONN 0 0 *:896 *:* users:(("rpcbind",1569,7))
UNCONN 0 0 *:32769 *:*
UNCONN 0 0 *:nfs *:*
UNCONN 0 0 *:syslog *:* users:(("rsyslogd",1506,1))
UNCONN 0 0 *:42375 *:* users:(("avahi-daemon",1613,14))
UNCONN 0 0 *:pftp *:* users:(("rpc.statd",1643,8))
UNCONN 0 0 *:snmp *:* users:(("snmpd",1949,7))
UNCONN 0 0 *:37802 *:* users:(("squid",2124,9))
UNCONN 0 0 *:bootps *:* users:(("dhcpd",1987,7))
UNCONN 0 0 *:tftp *:* users:(("xinetd",1968,6))
UNCONN 0 0 *:971 *:* users:(("rpc.statd",1643,5))
UNCONN 0 0 *:kpasswd *:* users:(("kadmind",1926,6))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos :::* users:(("krb5kdc",1935,11))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos :::* users:(("krb5kdc",1935,9))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos-iv :::* users:(("krb5kdc",1935,10))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos-iv :::* users:(("krb5kdc",1935,8))
UNCONN 0 0 :::sunrpc :::* users:(("rpcbind",1569,9))
UNCONN 0 0 fe80::fc54:ff:feda:8094:ntp :::* users:(("ntpd",1976,26))
UNCONN 0 0 fe80::fc54:ff:fe52:8f66:ntp :::* users:(("ntpd",1976,30))
UNCONN 0 0 fe80::fc54:ff:feea:63a8:ntp :::* users:(("ntpd",1976,29))
UNCONN 0 0 fe80::fc54:ff:fe16:15c3:ntp :::* users:(("ntpd",1976,28))
UNCONN 0 0 fe80::fc54:ff:fe75:8012:ntp :::* users:(("ntpd",1976,27))
UNCONN 0 0 fe80::fc54:ff:feb3:4da8:ntp :::* users:(("ntpd",1976,25))
UNCONN 0 0 fe80::226:2dff:fe47:309f:ntp :::* users:(("ntpd",1976,20))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:ntp :::* users:(("ntpd",1976,19))
UNCONN 0 0 ::1:ntp :::* users:(("ntpd",1976,18))
UNCONN 0 0 :::ntp :::* users:(("ntpd",1976,17))
UNCONN 0 0 :::892 :::* users:(("rpc.mountd",1888,9))
UNCONN 0 0 :::896 :::* users:(("rpcbind",1569,10))
UNCONN 0 0 :::32769 :::*
UNCONN 0 0 :::nfs :::*
UNCONN 0 0 :::syslog :::* users:(("rsyslogd",1506,2))
UNCONN 0 0 :::pftp :::* users:(("rpc.statd",1643,10))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kpasswd :::* users:(("kadmind",1926,8))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kpasswd :::* users:(("kadmind",1926,7))
UNCONN 0 0 :::59603 :::* users:(("squid",2124,8))
[root@kerberos ks]# ss -upa
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:kerberos *:* users:(("krb5kdc",1935,7))
UNCONN 0 0 *:mdns *:* users:(("avahi-daemon",1613,13))
UNCONN 0 0 *:rquotad *:* users:(("rpc.rquotad",1872,3))
UNCONN 0 0 *:kerberos-iv *:* users:(("krb5kdc",1935,6))
UNCONN 0 0 *:sunrpc *:* users:(("rpcbind",1569,6))
UNCONN 0 0 *:ipp *:* users:(("cupsd",1687,9))
UNCONN 0 0 192.168.15.100:ntp *:* users:(("ntpd",1976,23))
UNCONN 0 0 172.16.15.1:ntp *:* users:(("ntpd",1976,22))
UNCONN 0 0 127.0.0.1:ntp *:* users:(("ntpd",1976,21))
UNCONN 0 0 *:ntp *:* users:(("ntpd",1976,16))
UNCONN 0 0 *:892 *:* users:(("rpc.mountd",1888,7))
UNCONN 0 0 *:896 *:* users:(("rpcbind",1569,7))
UNCONN 0 0 *:32769 *:*
UNCONN 0 0 *:nfs *:*
UNCONN 0 0 *:syslog *:* users:(("rsyslogd",1506,1))
UNCONN 0 0 *:42375 *:* users:(("avahi-daemon",1613,14))
UNCONN 0 0 *:pftp *:* users:(("rpc.statd",1643,8))
UNCONN 0 0 *:snmp *:* users:(("snmpd",1949,7))
UNCONN 0 0 *:37802 *:* users:(("squid",2124,9))
UNCONN 0 0 *:bootps *:* users:(("dhcpd",1987,7))
UNCONN 0 0 *:tftp *:* users:(("xinetd",1968,6))
UNCONN 0 0 *:971 *:* users:(("rpc.statd",1643,5))
UNCONN 0 0 *:kpasswd *:* users:(("kadmind",1926,6))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos :::* users:(("krb5kdc",1935,11))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos :::* users:(("krb5kdc",1935,9))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kerberos-iv :::* users:(("krb5kdc",1935,10))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kerberos-iv :::* users:(("krb5kdc",1935,8))
UNCONN 0 0 :::sunrpc :::* users:(("rpcbind",1569,9))
UNCONN 0 0 fe80::fc54:ff:feda:8094:ntp :::* users:(("ntpd",1976,26))
UNCONN 0 0 fe80::fc54:ff:fe52:8f66:ntp :::* users:(("ntpd",1976,30))
UNCONN 0 0 fe80::fc54:ff:feea:63a8:ntp :::* users:(("ntpd",1976,29))
UNCONN 0 0 fe80::fc54:ff:fe16:15c3:ntp :::* users:(("ntpd",1976,28))
UNCONN 0 0 fe80::fc54:ff:fe75:8012:ntp :::* users:(("ntpd",1976,27))
UNCONN 0 0 fe80::fc54:ff:feb3:4da8:ntp :::* users:(("ntpd",1976,25))
UNCONN 0 0 fe80::226:2dff:fe47:309f:ntp :::* users:(("ntpd",1976,20))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:ntp :::* users:(("ntpd",1976,19))
UNCONN 0 0 ::1:ntp :::* users:(("ntpd",1976,18))
UNCONN 0 0 :::ntp :::* users:(("ntpd",1976,17))
UNCONN 0 0 :::892 :::* users:(("rpc.mountd",1888,9))
UNCONN 0 0 :::896 :::* users:(("rpcbind",1569,10))
UNCONN 0 0 :::32769 :::*
UNCONN 0 0 :::nfs :::*
UNCONN 0 0 :::syslog :::* users:(("rsyslogd",1506,2))
UNCONN 0 0 :::pftp :::* users:(("rpc.statd",1643,10))
UNCONN 0 0 fe80::2e0:4cff:fe90:40eb:kpasswd :::* users:(("kadmind",1926,8))
UNCONN 0 0 fe80::226:2dff:fe47:309f:kpasswd :::* users:(("kadmind",1926,7))
UNCONN 0 0 :::59603 :::* users:(("squid",2124,8))
Here are additional examples you can use with ss, including get connections per process.
Rilindo
- 5,058
- 5
- 26
- 46
-
1Again, how can udp have a connection? `ss` only displays UDP sockets not **connection**. – Sachin Divekar Dec 04 '11 at 19:18
-
Bad choice of words. That said, I asked for clarification from Flit, as it is not clear what he is trying to do. – Rilindo Dec 04 '11 at 20:28
-
What's the difference between `ss -pa` and `ss -upa` in the example? Should half be deleted? – Mihail Malostanidis Mar 27 '20 at 01:10
3
inspired by this answer, i've found that the following ss syntax works for me:
ss -u state CLOSE
… because "listening" UDP sockets are like "closed" TCP sockets.
RubyTuesdayDONO
- 151
- 5