8

On a Linux server one can use netstat -tan | grep ESTABLISHED| wc -l but this will not work on a high load server with watch -n1.

Such approach works fine if the server is not very busy or the monitoring interval is big enough. But what can be recommended as alternative for a high load server?

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
Vinicius Tinti
  • 325
  • 4
  • 9
  • possible duplicate of [How do I get the number of (currently) established TCP connections for a specific port?](http://serverfault.com/questions/527875/how-do-i-get-the-number-of-currently-established-tcp-connections-for-a-specifi) – user9517 Nov 25 '14 at 07:07
  • I don't understand. Do you mean you want an update more often than every 1 second? Or you want to know the total number of connections that were established during some period, instead of the number of connections that are established at the moment you run netstat? – Andrew Schulman Nov 25 '14 at 15:50
  • @AndrewSchulman on high load,`netstat` followed by a `grep` command will not be fast enough to give statistics in order of seconds. But you can get it with `ss` or parsing `/proc`. I want to know the number of TCP established connections each second. – Vinicius Tinti Nov 25 '14 at 16:47
  • seomthing like a diff of the output of ss over time ? – Sirex Nov 25 '14 at 22:39
  • @Sirex in fact in my case I just wanted to watch it over time. If you are goint to script something I would prefer `[cat/sed/grep]` in `/proc`. – Vinicius Tinti Nov 25 '14 at 23:41

5 Answers5

7

Use the command:

ss -neopt state established

This will show you only TCP sessions in ESTABLISHED state, no piping to other commands required, so it's super fast.

ss is better than netstat because the older netstat just reads from procfs which is subject to file locks. ss actually makes a query inside the kernel which is handled by the kernel scheduler and always returns accurate information.

suprjami
  • 3,536
  • 21
  • 29
  • Uh? FS ***procfs*** mounted in `/proc` is a ***pseudo file system***! Subject to ***lockfile***??? Please post references! At my knowledge, this pseudo filesystem is just a way to access kernel variables! – F. Hauri - Give Up GitHub Sep 22 '19 at 07:48
  • Then try: `strace ss -neopt state established 2>&1 | grep proc/`... – F. Hauri - Give Up GitHub Sep 22 '19 at 07:58
  • procfs writes line by line. If you have many many open connections, like hundreds of thousands, the earlier stuff is outdated by the time you get to the end. It's a waste of time. ss netlink gets the current state from the kernel at one point in time. – suprjami Sep 23 '19 at 08:59
4

Using /proc to reduce workload

I like to access kernel variables directly through /proc. This is very efficient, quick and system friendly.

There is a pseudo file (kernel variables table) named /proc/net/tcp where kernel store list of TCP connection and listenning. The 6th field, called st for state could contain 0A for a listen entry and 01 for an established connection.

Counting TCP established connections:

By using 
grep </proc/net/tcp -c '^ *[0-9]\+: [0-9A-F: ]\{27\} 01 '
By using 
awk  </proc/net/tcp 'BEGIN{t=0};{if ($4 == "01") {t++;}};END{print t}'

or

awk  </proc/net/tcp 'BEGIN{t=0};/^ *[0-9]+: [0-9A-F: ]{27} 01 /{t++};END{print t}'
By using 
sed  </proc/net/tcp '/^ *[0-9]\+: [0-9A-F: ]\{27\} 01 /p;d' | wc -l

Execution time

As this question stand for high workload system. I've done a little bench:

Method                                Answer by     Milliseconds

grep                                  Techno        2.48
awk no regexp ($4=="01")                            2.51
sed | wc                                            2.67
awk with regexp                                     2.93

ss -neopt state established | wc -l   Suprjami     15.14
lsof -i tcp -s tcp:ESTABLISHED        Tonioc    25055.00

Ok Tonioc's answer is very slow, but very insteresting by his verbosity. So clearly not useable on high workload system.

This bench let you see that if ss is a very usefull dedicated tool, asking /proc variables could be a lot quicker.

techno
  • 156
  • 3
3

Check also: 527875.

netstat + grep is a good and simple option for a few connections but if you have a huge number of connections I would recommend ss as recommended in nixCraft.

For instance: ss -s

Total: 78 (kernel 79)
TCP:   31 (estab 27, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 16

Transport Total     IP        IPv6
*     79        -         -        
RAW   0         0         0        
UDP   4         2         2        
TCP   31        2         29       
INET      35        4         31       
FRAG      0         0         0
Community
  • 1
Vinicius Tinti
  • 325
  • 4
  • 9
2

ss is a good tool. For kicks you could also can just:

[kbrandt@ny-kbrandt01: ~] cat /proc/net/snmp | grep Tcp | awk '{print $10}'
CurrEstab
3
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
1

There is also lsof, which can filter per protocol and state: for example to look for TCP ESTABLISHED connections: 

~# lsof -i tcp -s tcp:ESTABLISHED

then | wc -l to count. Note: did not try the cost of this with a huge number of connections.

tonioc
  • 1,047
  • 8
  • 11