Linux Log all tcp new connections

Question

On my linux host I want to get per minute logs of all the new tcp connections being created. I have multiple tap devices on my host from which various are trying to create the tcp connections.

I have iptable POSTROUTING MASQUERADE rule on my host. So my requirement is to log the tcp connections such that I got to know at particular time which tap device Ip/Port is mapped to particular port of host for that request.

One solution I got:

sudo conntrack -E --event-mask NEW --output timestamp

But I looking for something which requires minimimum CPU/Memory and other resources.

BPF BCC https://github.com/iovisor/bcc/tree/b181a8e796bc42b53587e7e2f8008ab38a8fef8c has tcpconnect for that but it publishes only for eth0 not for other virtual network devices

Anton Danilov · Answer 1 · 2019-05-10T09:54:16.900

0

Most CPU friendly way to do it - use the ipt netflow iptables target with nat events activated. But it isn't simple and requires additional software (a netflow collector and a netflow analyzer).

Other way is usage of ULOGD2 daemon with built-in support of conntrack (example of configuration). It's very efficient too.

edited May 10 '19 at 09:54

answered May 10 '19 at 09:40

Anton Danilov

4,874
2
11
20

Linux Log all tcp new connections

1 Answers1