how to see specific established connections?
I know about netstat, ncat,tcpdump and some others tools that show all connections, but what tool should I use if I want to see a specific connection established with a specific server?
For example: I am connecting to port 80 from a simple web client; I need a command which only shows my connection with " port 80".
3 Answers
You need to parse the output of netstat. On my system, netstat doesn't display the string "Google" when listing hosts. So, instead of simply using netstat -t | grep -i Google, you would need to lookup the name of the host. Something like:
$ sudo netstat -tn | awk '/EST/{print $5}' | sed 's/:.*//' | while read ip; do whois $ip | grep -qi google && echo "$ip"; done
173.194.67.189
74.125.140.105
216.58.209.5Explanation
sudo netstat -tn: runnetstatshowing only tcp connections (-t) and numerical IPs (-n);awk '/EST/{print $5}': print the 5th field (the IP) if this line matchesEST(show only established connections);sed 's/:.*//': remove the port, leaving only the IP;while read ip; do ...; done: iterate over each IP found;whois $ip | grep -qi google: lookup the IP and search the output forgoogle. The-imeans case insensitive searching and the-qsuppresses output.&& echo "$ip": if thegrepwas successful, print this IP.
Running the command netstat with the flags -tanp on Ubuntu will list all the PIDs (Process Identification Numbers) and ports of each connection.
NOTE: to see all PIDs you should run the command with sudo permissions so sudo netstat -tanp
e.g.
I wrote a c++ program titled addressid, that employs the netstat command with the whois utility. On 14.04 the whois utility doesnt come 'stock out of the box', so you will have to install via command line as well as build-essential to compile the class file into binary.
:~$ sudo apt-get install build-essential -y
:~$ sudo apt-get install whois -y The program also expects two other directories to be in existence, /usr/local/addressId and /var/log/addressid so you will have to create these:
:~$ sudo mkdir -p -m0755 /usr/local/addressId
:~$ sudo mkdir -p -m0755 /var/log/adressidCopy the program into gedit text editor, then compile the program as shown below:
:~$ g++ -o adressid addressId.cppNext move the program to /usr/bin (which is already in your $PATH) and use the new utility from command line as shown below
:~$ sudo mv addressid /usr/bin/
:~$ sudo addressidYou have to run the program as root, because the netstat utility requires root privileges to display all of the systems tcp information.
//*******************************************************************
// This addressId.cpp class is created to input the output from
// the netstat -tanp command and create a shell script that will be
// executed performing the ip address (a dotted quad) look up on the
// whois server (with whois utility).
// author:GeoWade
//*******************************************************************
#include <iostream>
#include <fstream>
#include <string>
#include <list>
#include <cstdlib>
#include <cstring>
#include <locale>
using namespace std;
const int MAX_INDY = 300;
int main()
{ // create string variables string line; string holdWord = ""; // create a string array to hold the ip addresses string holdArry[MAX_INDY]; // create string variables to be used as test vars in regexs string theTcp = "tcp"; string firstLn = "0.0.0.0"; string theSix = "tcp6"; // create list<string> container object to hold input strings list<string> addressList; // create integer variables int index; int cardex; int count = 0; // use the system function to execute the netstat command and the data system("sudo netstat -tanp > /usr/local/addressId/Ntstat.txt"); // create an ifstream object ifstream inFile("/usr/local/addressId/Ntstat.txt"); while ( getline( inFile, line ) ) { if ( !line.compare(44,7,firstLn) == 0 ) { if ( line.compare(0,3,theTcp) == 0 ) { if ( !line.compare(0,4,theSix) == 0 ) { // find the index position of the line at which point it ends cardex = line.find('\0'); // store the substring of the line based on index positions string intermStr = line.substr(44,cardex); // locate the index position of the substring at which a colon // resides index = intermStr.find(":"); // create a second substr out of the first substring. holdWord = intermStr.substr(0,index); addressList.push_back(holdWord); } // null the holdWord var and increment the count integer holdWord = ""; count++; } } } inFile.close(); cout << "The data has been inputted to the program!" << endl; for (int i = 0; i < count; i++) { string outStack = addressList.front(); addressList.pop_front(); holdWord = outStack; holdArry[i] = holdWord; holdWord = ""; } // create an ofstream object ofstream outOne; outOne.open("/usr/local/addressId/myWhois.sh"); outOne << "#! /bin/bash\n\nMYWH=\"whois\"\nUPD=\"updatedb\"\n" << "TDTD=\"date\"\n\n$TDTD >> " << "/var/log/addressid/addressid.log\n" << endl; for (int j = count-1; j >= 0; j--) { string outHold = holdArry[j]; holdArry[j] = ""; holdWord = outHold; outOne << "$MYWH " << holdWord << " >> " << "/var/log/addressid/addressid.log" << "\n" << endl; holdWord = ""; } outOne << "$UPD\n\nexit\n" << endl; outOne.close(); system("chmod +x /usr/local/addressId/myWhois.sh"); system("/usr/local/addressId/myWhois.sh"); // delete the previously created and executed my system("rm -rf /usr/local/addressId/myWhois.sh"); count = 0; addressList.clear(); // output a statement to the user of the binary cout << "The operation has completed successfully!" << endl; return 0;
}I wrote this program about 3 years ago, back on 12.04 as part of a security and logging suite I created. None the less it will log every address and those addresses information when it is ran, it also adds the date to the log each time it is ran. You can view the log by using the cat command or make a back-up as shown below
:~$ cat /var/log/addressid/addressid.logor
:~$ cat /var/log/addressid/addressid.log >> $HOME/addressid.log.bakThe Program is legit, I just deleted my /usr/bin/addressid, copied the program (to verify there was no errors) from this web-page, compiled it, and perform the necessary sudo mv addressid /usr/bin/ and ran it as sudo addressid.
