13

How do I get the number of (currently) established TCP connections for a specific port?

I have managed to get counters for traffic working by doing i.e for outgoing RTMP.

iptables -N $CHAIN 
iptables -I OUTPUT -j $CHAIN
iptables -A $CHAIN -p tcp --sport 1935
iptables-save

But now i need the number of current (not a counter) connections, for each protocol

I can get the total number with: netstat -ant | grep ESTABLISHED | wc -l

Can anyone help? Im not an iptables guru.

James Bennet
  • 153
  • 1
  • 1
  • 6

4 Answers4

13

You say you're not a guru, but which of us is? You've done most of the heavy lifting; I'm sure the rest will occur to you in a minute or two.

Until then, try netstat -an|grep ESTABLISHED | grep -w 1935.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • 1
    lsof -ni:1935 -sTCP:ESTABLISHED | wc -l has also been suggested to me?, is there any benefit between lsof and netstat? – James Bennet Aug 01 '13 at 08:32
  • They both hook into the underlying kernel structures. The binaries are about the same size, so will have comparable memory footprints. Offhand, I can think of no major difference. – MadHatter Aug 01 '13 at 08:33
  • I am being told they are supposed to be slow (The box will have like 20k connections), and to use iptables, but it looks unsuitable to me? – James Bennet Aug 01 '13 at 08:37
  • Iptables seems unsuitable to me, too. Both iptables and netstat/lsof are simply userspace tools that tap into kernel structures, so I'm not quite sure why one would be much slower than the others unless the userspace portions were wildly different in size (they're not). How often do you intend to poll this statistic? – MadHatter Aug 01 '13 at 09:02
  • Every 5 minutes, cron job. – James Bennet Aug 01 '13 at 09:12
  • 1
    Then unless you're running this on the slowest system ever built this year, then I doubt the overhead involved is significant in the slightest. **Try it**: run `time ...` on the command, and see how many seconds of CPU it uses. Then work out what that is as a fraction of the product of 300s (five minutes) and the number of CPUs in the box. That'll give you some idea what fraction of your system you're about to burn in monitoring this. Nothing helps deal with FUD like real data. – MadHatter Aug 01 '13 at 09:17
  • Got it working. Now, if i wanted to be able to distinguish Incoming from outgoing connections, would I do grep for LISTEN instead of ESTABLISHED? – James Bennet Aug 01 '13 at 09:26
  • No. `LISTEN` is for daemons awaiting new connections. If you want to distinguish outbound and inbound, you'll have to parse the netstat output with something like awk or perl, and look to see whether the service's port number is on your address or the remote one. That may get computationally expensive. – MadHatter Aug 01 '13 at 09:45
9

It works for me:

# netstat -ant | grep ESTABLISHED | wc -l

output:

total connection 22....
slm
  • 7,355
  • 16
  • 54
  • 72
Radhe
  • 309
  • 1
  • 2
  • 9
4

netstat + grep is a good and simple option for a few connections but if you have a huge number of connections I would recommend ss as recommended in nixCraft.

For instance: ss -s

Total: 78 (kernel 79)
TCP:   31 (estab 27, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 16

Transport Total     IP        IPv6
*     79        -         -        
RAW   0         0         0        
UDP   4         2         2        
TCP   31        2         29       
INET      35        4         31       
FRAG      0         0         0
Vinicius Tinti
  • 315
  • 3
  • 9
2

There is one more command if you want list of ip and number of connection use

netstat -natu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

it gives you ip and connection list...

thankyou

Community
  • 1
Radhe
  • 309
  • 1
  • 2
  • 9