2

Is there a linux server utility that can list the network ports and protocols that have been active over a given period of time?

For example, I'd like to know which ports and protocols were active at least once last week. The answer would be something like: TCP/80, TCP/443, UDP/5678...

Numid
  • 121
  • 1
  • What do you mean by "active"? A process was listening on one of those ports? There was an incoming connection on one of those ports? A process connected to that port on a remote server? Something else? – jcaron Aug 30 '23 at 23:30
  • I mean that incoming connections have occurred. – Numid Sep 01 '23 at 17:20

1 Answers1

3

You can install and activate auditd. Add there rules in audit config:

-a always,exit -F arch=b64 -S connect -F key=CONNECT
-a always,exit -F arch=b64 -S bind -F key=BIND
-a always,exit -F arch=b64 -S socket -F key=SOCKET
-a always,exit -F arch=b64 -S listen -F key=LISTEN
-a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
-a always,exit -F arch=b64 -S close -F key=CLOSE

and you will have in audit logs you can monitor socket related system calls.

If you want to find now old information (and do not have audit) I do not think you will find relevant information in linux.

Romeo Ninov
  • 5,263
  • 4
  • 20
  • 26
  • Thank you. That utility seems to be a good fit for monitoring the socket activity of the server. However, the log it produces is dense. How can I extract the desired information? Digging a little bit deeper, I have found https://www.linkedin.com/pulse/using-auditd-monitor-network-connections-alex-maestretti/ along with https://twiki.cern.ch/twiki/bin/view/LinuxSupport/IDSNetConnectionLogger. Still, I can't make my way out of it. – Numid Sep 01 '23 at 08:55
  • @Numid, you can filter by using `key` value directly from `audit`. And then filter by port, IP, etc – Romeo Ninov Sep 01 '23 at 09:16