One of system resources to monitor closely as a system administrator is network connections. In order to maintain adequate networking performance on a server, you need to watch out for any abnormal behavior in network connections (e.g., unusually high volume of connection requests), and act on it (e.g., filter DDoS or port scanning attacks).
In this tutorial, I will describe how to monitor active network connections, and how to count the number of open network connections on Linux.
When it comes to monitoring network connections, conntrack-tools is very useful. conntrack-tools are a suite of user-space utilities that allow you to view and manage network connection states that the Linux kernel keeps track of. To use conntrack-tools, Linux kernel 2.6.18 or later is recommended.
Install conntrack-tools on Linux
To monitor open network connections with conntrack-tools, first make sure that a kernel module called nf_conntrack is loaded on your system.
nf_conntrack_netlink 35452 0 nfnetlink 13984 1 nf_conntrack_netlink nf_conntrack_netbios_ns 12666 0 nf_conntrack_broadcast 12528 1 nf_conntrack_netbios_ns nf_conntrack_ipv6 14531 23 nf_defrag_ipv6 18178 1 nf_conntrack_ipv6 nf_conntrack_ipv4 14970 22 nf_nat,iptable_nat nf_defrag_ipv4 12674 1 nf_conntrack_ipv4 nf_conntrack 84046 9 nf_conntrack_netbios_ns,ipt_MASQUERADE,nf_nat,xt_conntrack,nf_conntrack_netlink,nf_conntrack_broadcast,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
After verifying that nf_conntrack module is loaded, go ahead and install conntrack-tools, as well as all prerequisite packages as follows.
To install conntrack-tools on Ubuntu or Debian:
To install conntrack-tools on CentOS, Fedora or RHEL:
Monitor Open Network Connections with conntrack Utility
A command-line tool called conntrack comes with conntrack-tools package. The conntrack utility allows you to search, list, inspect network connection states.
To list open network connections with conntrack, run the following.
tcp 6 431875 ESTABLISHED src=192.168.233.1 dst=192.168.233.152 sport=41959 dport=22 src=192.168.233.152 dst=192.168.233.1 sport=22 dport=41959 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1 tcp 6 431999 ESTABLISHED src=192.168.233.1 dst=192.168.233.152 sport=41941 dport=22 src=192.168.233.152 dst=192.168.233.1 sport=22 dport=41941 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1 conntrack v1.4.0 (conntrack-tools): 2 flow entries have been shown.
To count the number of open network connections, run:
To monitor the creation of individual network connections, use the following command. Each time a new network connection is established, the event will show up in the output in real-time.
[NEW] tcp 6 120 SYN_SENT src=192.168.233.1 dst=192.168.233.152 sport=41953 dport=22 [UNREPLIED] src=192.168.233.152 dst=192.168.233.1 sport=22 dport=41953 [NEW] udp 17 30 src=192.168.233.152 dst=192.168.233.2 sport=60338 dport=53 [UNREPLIED] src=192.168.233.2 dst=192.168.233.152 sport=53 dport=60338 [NEW] udp 17 30 src=192.168.233.1 dst=188.8.131.52 sport=5353 dport=5353 [UNREPLIED] src=184.108.40.206 dst=192.168.233.1 sport=5353 dport=5353 [NEW] udp 17 30 src=192.168.233.152 dst=220.127.116.11 sport=5353 dport=5353 [UNREPLIED] src=18.104.22.168 dst=192.168.233.152 sport=5353 dport=5353
To monitor new SSH connections in real-time, run the following.
Monitor Open Network Connections with conntrackd Daemon
If you would like to collect long-term statistics on network connection events (e.g., NEW, UPDATE, DESTROY), you can use conntrackd, user-space daemon for connection tracking system.
First, make sure that conntrackd configuration file is correct, in terms of network interface and IP address.
IPv4_interface 192.168.233.153 Interface eth0
To run conntrackd as a daemon:
Once conntrackd daemon is running in the background, you can dump the statistics collected by the daemon as follows.
cache internal: current active connections: 2 connections created: 4 failed: 0 connections updated: 13 failed: 0 connections destroyed: 2 failed: 0 cache external: current active connections: 0 connections created: 0 failed: 0 connections updated: 0 failed: 0 connections destroyed: 0 failed: 0 traffic processed: 0 Bytes 0 Pckts multicast traffic (active device=eth0): 9624 Bytes sent 0 Bytes recv 1138 Pckts sent 0 Pckts recv 0 Error send 0 Error recv message tracking: 0 Malformed msgs 0 Lost msgs
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.
Did you find this tutorial helpful? Then please be generous and support Xmodulo!
Latest posts by Dan Nanni (see all)
- How to install Suricata intrusion detection system on Linux - September 3, 2015
- How to switch from NetworkManager to systemd-networkd on Linux - August 31, 2015
- How to set up a system status page of your infrastructure - August 25, 2015