/most_connected_ip

Perl script to display the active TCP connections on a machine, sorted by "most connected IP first", which is done by scanning the netstat output

Primary LanguagePerlApache License 2.0Apache-2.0

most_connected_ip

Status

  • Maintained. Works on Fedora 28 on 2018-10-28.

What is it

This is a Perl script to display the currently active TCP connections and their TCP state on the local machine, grouped by endpoint (IP:port), with any remote IP address resolved to its reverse DNS name, if possible.

This is done by scanning the netstat(8) output, the script is thus meant for a Unix.

For example, run it using:

perl most_connected_ip.pl --loop=5 --dnsnamelen=5

Output will be produced every 5 seconds, with the column showing the result of reverse-lookup DNS 80 characters wide.

The following can be passed:

--debug         To activate debugging output.
--nodns         To disable reverse DNS lookup; just IP addresses will be printed.
--notiming      Do not insert time taken for DNS lookups in output.
                (note that timing is printed only on lookup; if there is a cache
                hit on the program cache, no timing information will be printed in any case)
--debugdns      Print time taken for DNS lookup to STDERR; useful when debugging DNS problems.
                (you may also want to wield this: 'tcpdump -i lo udp port 53')
--dnsnamelen=N  Size of column holding the DNS lookup result (default 50; at least 30).
--loop[=N]      The program will loop every N seconds, forever, instead of running once only.
                (N can be missing (default is 1) or else 1..3600)

Problems

Short-lived connections that a created and disappear before they can appear in the next netstat listing are invisible. For that, only something based on tcpdump(8) helps.

The program may appear slow if /etc/resolv.conf does not explicitly say nameserver 127.0.0.1, causing DNS resolution to issue a IPv6 request which times out.

Similar programs

  • tcptrack - That's basically it. No longer available at its old Christmas Island address, but you can just yum install tcptrack.
  • nnetstat.pl - Perl/Gtk version of netstat.
  • Wireshark - Wireshark (ex Ethereal), which is the dog's bollocks
  • For Microsoft Windows, there is tcpview
  • nethogs - NetHogs is a small 'net top' tool, grouping bandwidth by process.

Sample output

Below is a sample output that shows two "inbound" TCP connections to ports 777 and 443 (one line for each), three "outbound" TCP connections to some remote machines on ports 777 and 25 (the first two connections on one line as they go to the same address and port and the third connection on a separate line), as well as a bunch of random TCP connections going over the loopback interface.

Also shown are the TCP connections' states and the reverse-resolved name of the remote IP addresses.

Note the "10 duplicates" indication shown in the "looping connections" header. Sometimes there are connections over the loopback interface for which netstat prints two lines, and so the script ignores one of them. 10 lines have been ignored in this case.

Distant inbound connections: 2
    85.93.216.17:777               <-- 78.141.139.10       :    1        ip-78-141-139-10.dyn.luxdsl.pt.lu     1 x ESTABLISHED
    80.90.47.155:443               <-- 78.141.139.10       :    1        ip-78-141-139-10.dyn.luxdsl.pt.lu     1 x ESTABLISHED
Distant outbound connections: 3
    80.90.63.61                    --> 80.90.63.48:25      :    2        smtp.m-plify.net                      2 x TIME_WAIT
    85.93.216.17                   --> 85.93.216.18:777    :    1        maya.m-plify.net                      1 x ESTABLISHED
Looping connections: 57 (10 duplicates)
    127.0.0.1                      --> 127.0.0.1:9355      :   20                                              1 x ESTABLISHED, 8 x TIME_WAIT, 11 x CLOSE_WAIT
    127.0.0.1                      --> 127.0.0.1:4713      :   10                                             10 x CLOSE_WAIT
    127.0.0.1                      --> 127.0.0.1:9353      :    9                                              4 x TIME_WAIT, 5 x CLOSE_WAIT
    127.0.0.1                      --> 127.0.0.1:3306      :    8                                              6 x ESTABLISHED, 1 x TIME_WAIT, 1 x CLOSE_WAIT
    127.0.0.1                      --> 127.0.0.1:5445      :    5                                              1 x ESTABLISHED, 4 x TIME_WAIT
    127.0.0.1                      --> 127.0.0.1:9354      :    2                                              2 x CLOSE_WAIT
    127.0.0.1                      --> 127.0.0.1:7998      :    1                                              1 x TIME_WAIT
    127.0.0.1                      --> 127.0.0.1:3351      :    1                                              1 x ESTABLISHED
    127.0.0.1                      --> 127.0.0.1:32000     :    1                                              1 x ESTABLISHED

License

Copyright 2012
M-PLIFY S.A.
21, rue Glesener
L-1631 Luxembourg

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Change log

2013-02-12 Correctly handle "netstat --wide", which may or may not work depending on the system. Correctly parse netstat output with IPv6 addresses.
2013-02-28 IPv4 addresses assigned to the local machine are obtained via IO::Interface::Simple. Complemented this with a readout of /proc/net/if_inet6 for the IPv6 addresses. Netstat output parsing went wrong on Ubuntu (the IPv6 loopback is apparently shown as 127.0.0.1); fixed. (Maybe one should not bother with netstat at all and use /proc directly)
2013-02-28 Printout made nicer; fields are aligned whether IPv6 addresses show up or not.
2013-03-01 127.0.0.1 was no longer recognized as of type LOOPBACK; fixed. Improved debug messages.
2014-03-04 When running teamviewer client, connections that are localhost->localhost show up that may have: No corresponding server socket; May only go "one way", i.e. the second entry of the typical bidirectional TCP connection is missing. How is that possible? ...the script could not handle that. FIXED! Also: Net::IP 1.25 declares that an IP address on 127.0.0.1 is "PRIVATE", not on the "LOOPBACK". This is weird, and is now being forcefully "fixed". Maybe this will go away im later versions!
2018-10-27 Complete review; added options and made it possible to have the program loop instead of having to use `watch`

TODO

When the reverse DNS lookup fails, one should traceroute to find the last IP that reverse-resolves.
Also list the process owning the connection; info about this can be obtained with `lsof(8)`