netstat lists all the connections (incoming and outgoing)
how do I filter out just the incoming connections
I have tried the netstat command but it lists all the connections but j need only the incoming connections
Once sockets are created, there isn't really such thing as inbound and outbound, as connections go both ways. What you really care about are connections you started, vs connections others started. To do that, you have to monitor for new connections, and log them as they are created.
tcpdump is a great tool for this. There are tons of guides on the internet, but a command to get you started would be tcpdump -Qin ....
With netstat you may identify the state of the socket, but in many cases there are no states in raw mode and usually no states used in UDP and UDPLite. You may try to display the listening state for incoming connections by running netstat with the following argument:
netstat --listening
However, as far as I understood from your question it is better to use the tcpdump tool as mentioned in other comments.
Related
I have two processes written in two different programming languages that exchange information via a local TCP connection. One process is starting the other but their lifetime must be shared, i.e. if one dies, so does the other and vice versa.
I would like to use the TCP connection as the mechanism to detect if the other side is crashing, but I'm not sure if it's safe. I wonder if there are cases where the connection could be closed for other reasons than one of process crashing or exiting.
Edit:
Ideally, the system needs to be portable across OS which is why TCP connections are used instead of Unix domain socket.
I know that it's possible to use administrative tools to kill the connection. What I want to know is if there are cases where in normal circumstances (both processes running fine) the connection would be close.
If the computers that are serving your processes are distant, then of course network problems along the way may cause problems, otherwise it's not trivial to close a connection. A tool such as "tcpkill" can close connections that originates or terminates on the local computer, and if you cross a firewall, then of course the firewall admin may close connections going through.
I think your scheme would work fairly well; if something causes the network connection to go down, then both your processes will terminate, so your worst case scenario would be excessive downtime - which I wouldn't expect from a connection through a normal network.
tcpkill: https://linux.die.net/man/8/tcpkill
You can use iptables to firewall the ports while the connection is running. By either ignoring packages or sending RSTs you could simulate different scenarios: remote host died, remote host closing the connection.
Examples:
# drop packages
iptables -p tcp --dport PORT_NUM -j DROP
# send RST
iptables -p tcp --dport PORT_NUM -j REJECT --reject-with tcp-reset
I've used the destination port above, to filter based on source port use --sport
If one side crashes (or closes/shuts-down its socket through any other means), the other one will see the socket as readable and get EOF on an attempted read.
You can inspect this behavior easily by observing a client-server nc pair, possibly with strace.
Server:
strace nc -l localhost 3333
Client:
strace nc localhost 3333
Whenever one side is killed (e.g., with Ctrl+C, Ctrl+\ or kill), the other side gets EOF (== a read of 0 bytes) ASAP.
I use the simple netstat command "netstat -nltp" which shows me all active TCP connections along with the PID and process name.
However even after playing around with parameters, I am unabe to get an important information from the command.
That is:
I want to see the number of packets received and sent from/to this PID
I learnt that Recv-Q and Send-Q are not indicative of this. Also, the statistics parameter seems to sum up for all processes. How can I see the packets received and sent to a PID?
Thanks
Use inner process counters for that:
cat /proc/<PID>/net/netstat
You want to do network traffic accounting per process.
There are number of applications that allow you to do that in real-time (i.e: nethogs), but the problem is keeping traffic counters over time.
I would suggest you to do so using iptables, assuming you can clearly distinguish your processes using a network port.
This article is still OK for your use case: https://www.cyberciti.biz/faq/linux-configuring-ip-traffic-accounting/
PS: This sort of questions is best in Server Fault
What is the best way to tell if traffic is reaching a socket?
netstat -i is convenient for checking counters in/out of an interface, but how to tell if that traffic is reaching a socket?
Thanks
You can use netstat to check the count of ESTABLISHED connection to the port number that the socket is using to listen. Alternatively tcpdump can show you packets flowing in and out of that port.
I need list of tcp connections made where client has particular port
for example :
from my linux server need to check if any connection is made with client by 8008 port of client within last two minutes..
Is this possible or I m looking for too much ..?
You can read /proc/net/tcp for this, but it does not track history, so you need to poll it occasionally. This will work so long as you don't mind "missing" some very short-lived connections.
First let me explain my scenario. We have an application using TCP that gets hanged frequently due to CLOSE_WAIT connections. From the netstat I can trace the remote host for which the CLOSE_WAIT happens. But I want to know the elapsed time (time of occurrence of CLOSE_WAIT on a particular port). If I know the exact time the CLOSE_WAIT happens, I can analyze the logs corresponding to the time stamp to find any possible reason for the same.
I know I can run netstat at regular intervals. By this way also, I can get the exact time window of CLOSE_WAIT connections.
Is there any simpler way to get what I need using netstat or any other commands ?
You could watch the traffic directly with tcpdump. If you know the remote IP and/or port you can narrow it down to just that traffic.
tcpdump -i eth0 src 192.168.1.1 and port 80