How to count the number of open network connections on Linux

One of system resources to monitor closely as a system administrator is network connections. In order to maintain adequate networking performance on a server, you need to watch out for any abnormal behavior in network connections (e.g., unusually high volume of connection requests), and act on it (e.g., filter DDoS or port scanning attacks).

In this tutorial, I will describe how to monitor active network connections, and how to count the number of open network connections on Linux.

When it comes to monitoring network connections, conntrack-tools is very useful. conntrack-tools are a suite of user-space utilities that allow you to view and manage network connection states that the Linux kernel keeps track of. To use conntrack-tools, Linux kernel 2.6.18 or later is recommended.

Install conntrack-tools on Linux

To monitor open network connections with conntrack-tools, first make sure that a kernel module called nf_conntrack is loaded on your system.

$ lsmod | grep nf_conntrack
nf_conntrack_netlink    35452  0 
nfnetlink              13984  1 nf_conntrack_netlink
nf_conntrack_netbios_ns    12666  0 
nf_conntrack_broadcast    12528  1 nf_conntrack_netbios_ns
nf_conntrack_ipv6      14531  23 
nf_defrag_ipv6         18178  1 nf_conntrack_ipv6
nf_conntrack_ipv4      14970  22 nf_nat,iptable_nat
nf_defrag_ipv4         12674  1 nf_conntrack_ipv4
nf_conntrack           84046  9 nf_conntrack_netbios_ns,ipt_MASQUERADE,nf_nat,xt_conntrack,nf_conntrack_netlink,nf_conntrack_broadcast,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6

After verifying that nf_conntrack module is loaded, go ahead and install conntrack-tools, as well as all prerequisite packages as follows.

To install conntrack-tools on Ubuntu or Debian:

$ sudo apt-get install conntrack conntrackd libnetfilter-conntrack3

To install conntrack-tools on CentOS, Fedora or RHEL:

$ sudo yum install conntrack-tools libnetfilter_conntrack

Monitor Open Network Connections with conntrack Utility

A command-line tool called conntrack comes with conntrack-tools package. The conntrack utility allows you to search, list, inspect network connection states.

To list open network connections with conntrack, run the following.

$ sudo conntrack -L
tcp      6 431875 ESTABLISHED src= dst= sport=41959 dport=22 src= dst= sport=22 dport=41959 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 431999 ESTABLISHED src= dst= sport=41941 dport=22 src= dst= sport=22 dport=41941 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
conntrack v1.4.0 (conntrack-tools): 2 flow entries have been shown.

To count the number of open network connections, run:

$ sudo conntrack -C

To monitor the creation of individual network connections, use the following command. Each time a new network connection is established, the event will show up in the output in real-time.

$ sudo conntrack -E -e NEW
    [NEW] tcp      6 120 SYN_SENT src= dst= sport=41953 dport=22 [UNREPLIED] src= dst= sport=22 dport=41953
    [NEW] udp      17 30 src= dst= sport=60338 dport=53 [UNREPLIED] src= dst= sport=53 dport=60338
    [NEW] udp      17 30 src= dst= sport=5353 dport=5353 [UNREPLIED] src= dst= sport=5353 dport=5353
    [NEW] udp      17 30 src= dst= sport=5353 dport=5353 [UNREPLIED] src= dst= sport=5353 dport=5353

To monitor new SSH connections in real-time, run the following.

$ sudo conntrack -E -e NEW -p tcp --dport 22

Monitor Open Network Connections with conntrackd Daemon

If you would like to collect long-term statistics on network connection events (e.g., NEW, UPDATE, DESTROY), you can use conntrackd, user-space daemon for connection tracking system.

First, make sure that conntrackd configuration file is correct, in terms of network interface and IP address.

$ sudo vi /etc/conntrackd/conntrackd.conf
                Interface eth0

To run conntrackd as a daemon:

$ sudo conntrackd -d

Once conntrackd daemon is running in the background, you can dump the statistics collected by the daemon as follows.

$ sudo conntrackd -s
cache internal:
current active connections:	           2
connections created:		           4	failed:	           0
connections updated:		          13	failed:	           0
connections destroyed:		           2	failed:	           0

cache external:
current active connections:	           0
connections created:		           0	failed:	           0
connections updated:		           0	failed:	           0
connections destroyed:		           0	failed:	           0

traffic processed:
                   0 Bytes                         0 Pckts

multicast traffic (active device=eth0):
                9624 Bytes sent                    0 Bytes recv
                1138 Pckts sent                    0 Pckts recv
                   0 Error send                    0 Error recv

message tracking:
                   0 Malformed msgs                    0 Lost msgs
Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

4 thoughts on “How to count the number of open network connections on Linux

  1. If you type 'ss', it merely shows established connections. 'ss' is a defacto net-tool likely installed by default on all linux distros :) (there's also rtmon, and ip monitor)

    the upgrade of the net-tools package on all main linux distros is the reason why its commands can harbor this facility.

  2. If you are using your Linux server as a router, conntrack is the ONLY way to see connections tracked by your router from client machines.

    Netstat, ss, lsof all show connections originating from the Linux server, NOT connections passing through the Linux server.

    # cat /proc/net/nf_conntrack

    Also, CentOS does not have a conntrack-tools package. You must build that from source.

Leave a comment

Your email address will not be published. Required fields are marked *