Monitoring active network connections with tcptrack
Posted by Steve on Sat 20 Aug 2005 at 13:45
There are many common scenarios where keeping track of open network connections is useful. General troubleshooting or fixing specific problems are two obvious cases which spring to mind. The most useful tool I've discovered for this purpose is tcptrack.
Whilst there are many other ways in which you can view open network connections, (such as using "netstat -an"), tcptrack manages to show you the useful aspects of open connections in a very concise manner - and it update in real time. Because the software is so small it's simple to install, use, and then remove unlike alternatives such as ntop.
The combination of connection details and a real time update is wonderful for getting an idea of the open connections upon a host.
tcptrack shows you:
- Client IP address and source port.
- Server IP address and destination port.
- Current state. ("Established", "Closing", etc.)
- Average data throughput.
To install it you may simply run:
apt-get install tcptrack
Once it has been installed become root, and run:
tcptrack -i "interface name"
tcptrack -i eth0
The display will look something like this:
Client Server State Idle A Speed 192.168.1.80:3825 126.96.36.199:1863 ESTABLISHED 20s 0 B/s 192.168.1.80:1267 xx.xx.xx.xx:22 ESTABLISHED 1m 0 B/s
Obviously if you're running this upon a gateway you will see all the current connections of your users. So you should only do this if you have the required permission to do so.
If you wish to study the connections in more detail you can pause the updates via the "p" key. This will toggle the display between paused and live states. (Pressing either "q", or Ctrl-c will exit the display and the program.)
As the software is built upon the libpcap library for packet capture you also have access to "filters". These filters are a small language for describing packets, or connections in this case, of interest.
For example if you only wished to see connections destined to arrive at port 80 (HTTP) then you could run:
tcptrack -i eth0 "dst port 80"
Here the optional filter has told the software we only care about connections which match the expression "destination port 80".
For more details on the available filter language your best option is to read the tcpdump manpage - if you install tcpdump you'll be able to consult that with "man tcpdump".
If you don't wish to install tcpdump just to read the documentation then you can find tcpdump manpage online here. (Although this link might break in the future).
tcptrack has a few more useful command line switches - to view those consult the manpage with "man tcptrack".