0

I'm trying to investigate why the amounts of connections between two physical hosts 10.240.48.9 и 10.241.169.7 (CentOS 6) don't match each other (diagnosed from the each one respectively):

On 10.241.169.7:

$ sudo netstat -lnpa | grep tcp | grep ESTABLISHED | grep 10.240.48.9 | wc -l

54

On 10.240.48.9:

$ sudo netstat -lnpa | grep tcp | grep ESTABLISHED | grep 10.241.169.7 | wc -l

189

Why is it possible at all? I guess there is a connection leak on the side of 10.240.48.9, but how to find out which software is leaking?

Vitaly Isaev
  • 149
  • 2
  • 5
  • 1
    I too often use `wc -l` and then have to step back and compare the output directly to identify the problem - so how do these 54 compared to the 189 lines do look like. They should carry all relevant info like process name etc ... – Dilettant May 31 '16 at 21:03

1 Answers1

1

Try looking at the output without the wc -l. The pattern '10.241.169.7' matches 11 addresses. You may want a pattern like ^tcp.*10.241.169.7:.*ESTABLISED which reduces the number of commands required.

You don't need sudo nor all the netstat options. Try a command like:

netstat -nt | grep `^tcp.*10.241.169.7:.*ESTABLISED` | wc -l
BillThor
  • 27,354
  • 3
  • 35
  • 69