How to count the number of open network connections on Linux

One of system resources to monitor closely as a system administrator is network connections. In order to maintain adequate networking performance on a server, you need to watch out for any abnormal behavior in network connections (e.g., unusually high volume of connection requests), and act on it (e.g., filter DDoS or port scanning attacks).

In this tutorial, I will describe how to monitor active network connections, and how to count the number of open network connections on Linux.

When it comes to monitoring network connections, conntrack-tools is very useful. conntrack-tools are a suite of user-space utilities that allow you to view and manage network connection states that the Linux kernel keeps track of. To use conntrack-tools, Linux kernel 2.6.18 or later is recommended.

Load Necessary Kernel Modules

To monitor open IPv4 network connections with conntrack-tools, first make sure that a kernel module called nf_conntrack_ipv4 is loaded on your system.

$ sudo modprobe nf_conntrack_ipv4

If you want to monitor IPv6 connections, you can load nf_conntrack_ipv6 module as well.

$ sudo modprobe nf_conntrack_ipv6

Depending on distributions you are using, these modules may already come preloaded.

Install conntrack-tools on Linux

After verifying that nf_conntrack_ipv4 module is loaded, go ahead and install conntrack-tools, as well as all prerequisite packages as follows.

Ubuntu, Debian or Linux Mint:

$ sudo apt-get install conntrack conntrackd libnetfilter-conntrack3

CentOS, Fedora or RHEL:

$ sudo yum install conntrack-tools libnetfilter_conntrack

Monitor Open Network Connections with conntrack Utility

A command-line tool called conntrack comes with conntrack-tools package. The conntrack utility allows you to search, list, inspect network connection states from the command line.

To print all network connections being tracked with conntrack, run the following command.

$ sudo conntrack -L

The output will show different types of IPv4-based connections including TCP, UDP and ICMP traffic. For TCP-based network connections, the output will include not only currently active connections (in "ESTABLISHED" state), but also connections that are opening up (in "SYNC_SENT" or "SYNC_RECV" state) or connections that are about to be closed (in "TIME_WAIT", "CLOSE_WAIT" or "FIN_WAIT" state).

To count the total number of network connections at the moment, simply run:

$ sudo conntrack -C

If you want to monitor newly created network connections as real-time events, use the following command.

$ sudo conntrack -E -e NEW

This command will print only those connections whose status is NEW. Thus each time a new network connection is established, the event will appear in the screen in real-time.

You can apply various filtering in the output of conntrack tool.

For example, to display open TCP connections only, run the following command.

$ sudo conntrack -L -p tcp --state ESTABLISHED

To show UDP network connections with destination port 500:

$ sudo conntrack -L -p udp --dport 500

If you want to monitor new SSH connections in real-time, run the following.

$ sudo conntrack -E -e NEW -p tcp --dport 22

Monitor Open Network Connections with conntrackd Daemon

Another tool for network connection monitoring is conntrackd, user-space daemon for connection tracking system. While conntrackd is originally designed to synchronize the kernel's connection tracking state between multiple (e.g., active/standby) firewall instances in high availability deployment, it can be used to collect and view statistics on network connection events (e.g., NEW, UPDATE, DESTROY) for monitoring purposes.

Before using conntrackd, make sure that conntrackd configuration in /etc/conntrackd/conntrackd.conf is correct in terms of network interface and IPv4 address (if they are specified), as shown below.

$ sudo vi /etc/conntrackd/conntrackd.conf
    Multicast {
        . . . . .
        Interface eth0
        . . . . .

If there is no such specification, you can use the default configuration without any modification.

To run conntrackd as a daemon:

$ sudo conntrackd -d

Once conntrackd daemon is running in the background, you can dump the statistics collected by the daemon as follows.

$ sudo conntrackd -s
cache internal:
current active connections:	           2
connections created:		           4	failed:	           0
connections updated:		          13	failed:	           0
connections destroyed:		           2	failed:	           0

cache external:
current active connections:	           0
connections created:		           0	failed:	           0
connections updated:		           0	failed:	           0
connections destroyed:		           0	failed:	           0

traffic processed:
                   0 Bytes                         0 Pckts

multicast traffic (active device=eth0):
                9624 Bytes sent                    0 Bytes recv
                1138 Pckts sent                    0 Pckts recv
                   0 Error send                    0 Error recv

message tracking:
                   0 Malformed msgs                    0 Lost msgs

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

7 thoughts on “How to count the number of open network connections on Linux

  1. If you type 'ss', it merely shows established connections. 'ss' is a defacto net-tool likely installed by default on all linux distros :) (there's also rtmon, and ip monitor)

    the upgrade of the net-tools package on all main linux distros is the reason why its commands can harbor this facility.

  2. If you are using your Linux server as a router, conntrack is the ONLY way to see connections tracked by your router from client machines.

    Netstat, ss, lsof all show connections originating from the Linux server, NOT connections passing through the Linux server.

    # cat /proc/net/nf_conntrack

    Also, CentOS does not have a conntrack-tools package. You must build that from source.

  3. Nice. Thanks for sharing Dan. It's handy to be aware of and have interactive tools to run on a local system when troubleshooting. ;-) There's also the TCP MIB where you can find this information exported via SNMP. Established connections is found at OID tcp.tcpCurrEstab.0 (or numeric OID . Many more OIDs are listed on the NetSNMP TCP MIB page.

  4. Hello,
    Personally - I would go with : netstat -natup | grep -i established | wc
    So this filters out the part where the process is just listening, but there is no actual connection.

Leave a comment

Your email address will not be published. Required fields are marked *