Check number of connections to webserver port 80 AND 443

Question

As the title says how would one check the number of open connections to a webserver on port 80 and 443?

I'm currently using this oneliner to get the number of open connections per ipaddress from port 80:

netstat -tn 2>/dev/null | 
    grep :80 | 
    grep -i established |
    awk '{print $5}' | 
    cut -d: -f1 | 
    sort | 
    uniq -c | 
    sort -nr | 
    head

How would one add port number 443 to this query? I've tried the following:

netstat -tn 2>/dev/null | 
    grep ':80/|:443' | 
    grep -i established |
    awk '{print $5}' | 
    cut -d: -f1 | 
    sort | 
    uniq -c | 
    sort -nr | 
    head

but ended up getting 0 results did i do something wrong?

Answer 1

Try

netstat -ant | egrep '(:80|:443) .*:.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c

or

netstat -nt | awk '$4 ~ /:(143|993)$/ && $6 ~ /ESTABLISHED/ {print $5}' | cut -d: -f1 | sort | uniq -c

• netstat -nt lists TCP connections without DNS lookups of the IP address
• egrep ':(80|443) .*:.*ESTABLISHED' selects ESTABLISHED connections on ports 80 restricting to the local address
• 'awk {print $5}' separates the remote address and port
• cut -d: -f1 remotes the port

• sort | uniq -c counts uniq ips

• awk '$4 ~ /:(80|443)$/ && $6 ~ /ESTABLISHED/ {print $5}' selects remote ip for ESTABLISHED connections to local ports 80 and 443

Edit:

If you want to count connections by IP, you can use {print $4, $5} in the print statement.

You can match on different or multiple states by altering the match for $6, such as /(ESTAB|SYN)/ which will include opening connections.

Answer 2

- grep ':80/|:443'
+ egrep ':80|:443'