1

Sometimes I'd like an easy way to produce lists over everything a server accepts or connects to. Not what it can connect to/accept connections from (firewall rules etc) but actual connections.

I can kind of solve this in a number of ways:

  • running ss or netstat on a schedule and collect data (how often and how long to make sure nothing slips through? yuck)
  • get firewall to log almost everything (not always an option)

Both these ideas should allow me to (with some postprocessing and additional data gathering to ) to generate lists of

  • which processes
  • send and/or receive data (ok, maybe technically just connects in some cases)
  • on what ports
  • to or from which addresses

But I still have a feeling I might be missing a simpler solution. Does something like inotify / Filesystemwatcher exist for networks? Or something that can be used to similar effect? I'm more or less comfortable in both Powershell/Bash and a few mainstream programming languages so it is OK even if it requires some assembly.

This question here is kind of similar but the tools recommended seems to be geared more towards what can be connected to, not where data actually flows: Automated Network Mapping

Erik I
  • 483
  • 3
  • 7
  • 18
  • 1
    ExtraHop and NetScout are a few products that do what you are looking for. (The demos I've seen are impressive, but I've never used them beyond a proof-of-concept phase.) – Doug Deden Apr 10 '19 at 18:14
  • Thanks! Those tools seems way to heavyweight for me and I guess that holds true for the price as well. I'm working on a small proof-of-concept powershell script based on netstat. Will try to get back here once I have something that can do the basics. FWIW I found a useful starting point here: http://blogs.microsoft.co.il/scriptfanatic/2011/02/10/how-to-find-running-processes-and-their-port-number/ – Erik I Apr 11 '19 at 09:44
  • 1
    depending on how many servers you have you may want a netflow/IPFIX exporter – Owensteam Dec 04 '19 at 16:18

0 Answers0