I am wondering what is the command/utility to have a real-time view of incoming IPs to my server, ideally along with the port and connected.
Asked
Active
Viewed 1.1e+01k times
6 Answers
40
Use pktstat -n
interface: eth0
bps
bps % desc
162.3 0% arp
286.5 0% llc 802.1d -> 802.1d
544.3 1% tcp 172.16.1.5:22 <-> 172.16.1.95:8074
34.0k 87% udp 172.16.1.1:514 <-> 172.16.1.5:514
350.1 0% udp 172.16.1.5:24330 <-> 209.18.47.62:53
329.4 0% udp 172.16.1.5:34870 <-> 209.18.47.62:53
388.3 0% udp 172.16.1.5:4470 <-> 209.18.47.62:53
407.4 1% udp 172.16.1.5:47008 <-> 209.18.47.62:53
741.6 1% udp 172.16.1.5:53 <-> 172.16.1.74:43289
663.6 1% udp 172.16.1.5:53 <-> 172.16.1.74:44589
647.7 1% udp 172.16.1.5:53 <-> 172.16.1.74:58223
128.9 0% udp 172.16.1.74:5353 <-> 224.0.0.251:5353
160.7 0% udp6 fe80::21c:bfff:fecf:a798,5353 <-> ff02::fb,5353
The pktstat source code is hosted on Debian's site, or you can get it from SourceArchive.com
Mike Pennington
- 8,305
- 9
- 44
- 87
-
2Amazing. Exactly what I was looking for. It is quite obvious but to complete the answer you might want to add that it can be installed simply by 'apt-get install pkstat'. – alfish Oct 10 '13 at 20:12
-
1Also, if you get `pktstat: pcap_lookupdev: no suitable device found` when running this, you might need to be root. – Tim Malone Jan 06 '18 at 11:49
12
For 'purdy' display, I'm partial to a tool called 'iptraf' that will do just what you mention, as well as per interface, and per port aggregates.
For core Linux tools, trusty netstat will do the trick...
thinice
- 4,716
- 21
- 38
-
2IPtraf is the best tool I've seen in terms of usability and functionality - obviously you can still script some stuff using standard tools like netstat and ngrep and tcpdump but why would you want to reinvent the wheel :) – milosgajdos Jul 07 '12 at 14:25
-
For completeness, iftop is similar to iptraf - an ncurses based app that uses bar graphs rather than just numbers - to display bandwidth usage per IP address. With the -P option you can get it per port as well. – gsreynolds Jul 07 '12 at 22:45
8
A tcpdump would show you that; if you just wanted a list of IPs, you could filter on SYN packets and only output the source IP address. Something like:
tcpdump -i eth0 -n 'tcp[tcpflags] & tcp-syn != 0 and not src and dst net localnet' | sed 's/^.*IP \([^ ]*) >.*$/\1/'
Would get you the list of IPs, in realtime. You could also tee that to a file, and periodically do a sort -u on it to get a list of unique IP addresses that have sent connections your way.
womble
- 96,255
- 29
- 175
- 230
4
You can use last to get an idea where your connections are coming from:
last | tac
The results, now in chronological order look like this:
root pts/0 xx.yy.zz.1 Fri Jan 31 09:13 - 13:25 (04:11)
root pts/1 master01-server.ne Fri Jan 31 09:36 still logged in
root pts/2 xx.yy.zz.1 Fri Jan 31 10:29 - 14:41 (04:11)
root pts/3 master01-server.ne Fri Jan 31 10:33 - 18:31 (07:58)
root pts/4 master01-server.ne Fri Jan 31 13:04 - 18:32 (05:28)
root pts/0 xx.yy.zz.1 Fri Jan 31 13:41 - 16:33 (02:52)
root pts/0 master01-server.ne Mon Feb 3 08:37 still logged in
If you want more details, and your sysadmin no longer allows netstat, use ss:
ss | grep xx.zx.yz.161
tcp ESTAB 0 0 nnn.mm.oo.6:ssh xx.zx.yz.161:49046
tcp ESTAB 0 0 nnn.mm.oo.6:ssh xx.zx.yz.161:54800
Lefty G Balogh
- 413
- 4
- 8
-
1Note that `last` shows the last logged-in users, not arbitrary connections. `netstat` and `ss`, on the other hand, can be used for any kind of connection. – Florian Brucker Apr 26 '22 at 16:11
0
Once you get the output of one of the commands mentioned in other answers, you can use "watch" tool to have "real-time". For example, "watch -n 5 ps" will do the command "ps" each 5 seconds ("-n" argument). Replace "ps" with the command of interest, and you will get "monitoring". Or, just "tee" on file, as in another suggestion.
Carrier
- 1