Netstat continuous refresh (watch changes the output)

Question

I am using this simple command to monitor connections (to deal with some recent DoS attacks) on my Debian server:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

How do I run it continuously? So it will refresh itself once per minute (or any given amount of time, of course). I tried watch:

watch -n 30 "netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n"

But it changed the output from nice list with num of connections to something like this:

1 tcp        0  10015 [LOCAL IP]
...
1 Proto Recv-Q Send-Q Local Address           Foreign Address         State
1 Active Internet connections (w/o servers)

So external IP is not being displayed. Is there something I missed?

This is how the original output looks:

  2 [IP ADDRESS]
  4 [IP ADDRESS]
  4 [IP ADDRESS]
  4 [IP ADDRESS]
  7 [IP ADDRESS]
 16 [IP ADDRESS]
 71 [IP ADDRESS]

And when I say [LOCAL IP] I mean my machine's IP.

When I run it with -c it just freezes.

Are you running watch with root privileges? The command looks sound and seems to behave how I would expect on my machine. Running without will not print the addresses and, after 30 seconds might print an error message. — , Jun 12 '12 at 13:27
@StewartPlatt I run it under root. I added the original command output. The thing is, when I do watch - it outputs only *my* IP address ad does not output connected to me IPs at all. — , Jun 12 '12 at 13:32

score 35 · Accepted Answer · answered Jun 12 '12 at 13:35

35

netstat -c

may help you if i've not misunderstood your problem. -c stands for --continuous.

EDIT: there you go:

watch -n 30 "netstat -ntu | awk '{print \$5}' | cut -d: -f1 | sort | uniq -c | sort -n"

I've added a \ before $.

answered Jun 12 '12 at 13:35

hcg

466
4
2

already tried, sorry I didn't specify this in a question. It just freezes when I add -c. – Jun 12 '12 at 13:39
I realized that, the $5 is removed at the output of watch. Maybe there's a quotation mark issue. I'm digging on it.. – Jun 12 '12 at 13:43
thank you, good to know about escaping special chars in watch – Jun 12 '12 at 13:47

score 3 · Answer 2 · answered Feb 20 '20 at 04:28

3

Searching for command for macos ends up here. For those mac user who want to see the real-time connections of a process:

nettop -p 60683

You can also restrict the interface type, like wifi or wired...

nettop -t wifi -n -p 60683

answered Feb 20 '20 at 04:28

Iceberg

131
2

score 3 · Answer 3 · answered Apr 29 '20 at 01:09

3

Monitoring on Ubuntu 18.04 LTS, this worked well. It displays good human-readable output.

sudo netstat -tupnc

answered Apr 29 '20 at 01:09

rjkunde

131
5

score 1 · Answer 4 · answered Mar 28 '16 at 21:14

1

Just run a while loop that sleeps for 60 seconds

[root@host] $ while true
> do
> netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
> sleep 60
> done

This will give you the same output every 60 seconds

answered Mar 28 '16 at 21:14

Chris Alderson

56
3

score 0 · Answer 5 · answered Aug 10 '21 at 09:25

0

you can use netstat interval(in second) it refresh active connection in each interval for example type in cmd: netstat 5 -> this mean every 5 seconds, netstat runs again until you press Ctrl+C

answered Aug 10 '21 at 09:25

Pooyan Tavakoli

1

Netstat continuous refresh (watch changes the output)

5 Answers5