Check number of connections to webserver port 80 AND 443
5,046
Try
netstat -ant | egrep '(:80|:443) .*:.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
or
netstat -nt | awk '$4 ~ /:(143|993)$/ && $6 ~ /ESTABLISHED/ {print $5}' | cut -d: -f1 | sort | uniq -c
netstat -nt
lists TCP connections without DNS lookups of the IP addressegrep ':(80|443) .*:.*ESTABLISHED'
selects ESTABLISHED connections on ports 80 restricting to the local address'awk {print $5}'
separates the remote address and portcut -d: -f1
remotes the portsort | uniq -c
counts uniq ipsawk '$4 ~ /:(80|443)$/ && $6 ~ /ESTABLISHED/ {print $5}'
selects remote ip for ESTABLISHED connections to local ports 80 and 443
Edit:
If you want to count connections by IP, you can use {print $4, $5}
in the print statement.
You can match on different or multiple states by altering the match for $6
, such as /(ESTAB|SYN)/
which will include opening connections.
Related videos on Youtube
Comments
-
Baklap4 over 1 year
As the title says how would one check the number of open connections to a webserver on port 80 and 443?
I'm currently using this oneliner to get the number of open connections per ipaddress from port 80:
netstat -tn 2>/dev/null | grep :80 | grep -i established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
How would one add port number 443 to this query? I've tried the following:
netstat -tn 2>/dev/null | grep ':80/|:443' | grep -i established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
but ended up getting 0 results did i do something wrong?
-
Baklap4 almost 8 yearsI'd like to keep the IP so i can view how many connections there are per IP address.
-
BillThor almost 8 years@Baklap4 Updated adding more
awk
based filter, -
kasperd over 5 yearsIf you want the IP addresses you need
-W
as well. Without-W
some of the IP addresses may be truncated bynetstat
. Also I noticed that if a client connects and don't send any data right away the TCP connection can show up asSYN_RECV
rather thanESTABLISHED
. -
BillThor over 5 years@kasperd Connections in
SYN_RECV
are in a half open state. This state indicates that the remote end hasn't completed opening the connection. Connections should not stay in this state very long, even if the other end does not send a request. -
kasperd over 5 years@BillThor That's what I thought too. But it turns out that's not always the case. An application can configure a socket in a way that will cause it to stay in
SYN_RECV
until the first data has been sent by the client. I was able to trigger that behavior with Apache running on Ubuntu LTS 14.04. Just telnet to port 80 on such a server and look atnetstat
output on the server.