Get number of TCP established connections

linux monitoring tcp netstat

7,650

Solution 1

Using /proc to reduce workload

I like to access kernel variables directly through /proc. This is very efficient, quick and system friendly.

There is a pseudo file (kernel variables table) named /proc/net/tcp where kernel store list of TCP connection and listenning. The 6th field, called st for state could contain 0A for a listen entry and 01 for an established connection.

Counting TCP established connections:

By using grep

grep </proc/net/tcp -c '^ *[0-9]\+: [0-9A-F: ]\{27\} 01 '

By using awk

awk  </proc/net/tcp 'BEGIN{t=0};{if ($4 == "01") {t++;}};END{print t}'

awk  </proc/net/tcp 'BEGIN{t=0};/^ *[0-9]+: [0-9A-F: ]{27} 01 /{t++};END{print t}'

By using sed

sed  </proc/net/tcp '/^ *[0-9]\+: [0-9A-F: ]\{27\} 01 /p;d' | wc -l

Execution time

As this question stand for high workload system. I've done a little bench:

Method                                Answer by     Milliseconds

grep                                  Techno        2.48
awk no regexp ($4=="01")                            2.51
sed | wc                                            2.67
awk with regexp                                     2.93

ss -neopt state established | wc -l   Suprjami     15.14
lsof -i tcp -s tcp:ESTABLISHED        Tonioc    25055.00

Ok Tonioc's answer is very slow, but very insteresting by his verbosity. So clearly not useable on high workload system.

This bench let you see that if ss is a very usefull dedicated tool, asking /proc variables could be a lot quicker.

Solution 2

Use the command:

ss -neopt state established

This will show you only TCP sessions in ESTABLISHED state, no piping to other commands required, so it's super fast.

ss is better than netstat because the older netstat just reads from procfs which is subject to file locks. ss actually makes a query inside the kernel which is handled by the kernel scheduler and always returns accurate information.

Solution 3

Check also: 527875.

netstat + grep is a good and simple option for a few connections but if you have a huge number of connections I would recommend ss as recommended in nixCraft.

For instance: ss -s

Total: 78 (kernel 79)
TCP:   31 (estab 27, closed 0, orphaned 0, synrecv 0, timewait 0/0), ports 16

Transport Total     IP        IPv6
*     79        -         -        
RAW   0         0         0        
UDP   4         2         2        
TCP   31        2         29       
INET      35        4         31       
FRAG      0         0         0

Solution 4

There is also lsof, which can filter per protocol and state: for example to look for TCP ESTABLISHED connections:

~# lsof -i tcp -s tcp:ESTABLISHED

then | wc -l to count. Note: did not try the cost of this with a huge number of connections.

Solution 5

ss is a good tool. For kicks you could also can just:

[kbrandt@ny-kbrandt01: ~] cat /proc/net/snmp | grep Tcp | awk '{print $10}'
CurrEstab
3

View more solutions

7,650

Vinicius Tinti

Updated on September 18, 2022

Comments

Vinicius Tinti almost 2 years

On a Linux server one can use netstat -tan | grep ESTABLISHED| wc -l but this will not work on a high load server with watch -n1.

Such approach works fine if the server is not very busy or the monitoring interval is big enough. But what can be recommended as alternative for a high load server?
- user9517 over 9 years
  
  possible duplicate of How do I get the number of (currently) established TCP connections for a specific port?
- Andrew Schulman over 9 years
  
  I don't understand. Do you mean you want an update more often than every 1 second? Or you want to know the total number of connections that were established during some period, instead of the number of connections that are established at the moment you run netstat?
- Vinicius Tinti over 9 years
  
  @AndrewSchulman on high load,netstat followed by a grep command will not be fast enough to give statistics in order of seconds. But you can get it with ss or parsing /proc. I want to know the number of TCP established connections each second.
- Sirex over 9 years
  
  seomthing like a diff of the output of ss over time ?
- Vinicius Tinti over 9 years
  
  @Sirex in fact in my case I just wanted to watch it over time. If you are goint to script something I would prefer [cat/sed/grep] in /proc.
Ken Sharp almost 7 years

Is it just me or does /proc/net/tcp not show port numbers?
Ken Sharp almost 7 years

Or are they after the colon in hex?
techno almost 7 years

@KenSharp Yes, it is. 1st line is header line. fields local_address and rem_address do contain IP and PORT separated by colon. field st (status) make difference between ESTABLISHED, LISTEN, WAIT ...
F. Hauri almost 5 years

U could add -n in lsof -ni to prevent DNS resolution and make this a lot quicker!
F. Hauri almost 5 years

+1 for time comparission! And yes, for just counting established tcp connection, using ss or any netstat is overkill, when /proc/net/tcp/ present what you need!
F. Hauri almost 5 years

Uh? FS procfs mounted in /proc is a pseudo file system! Subject to lockfile??? Please post references! At my knowledge, this pseudo filesystem is just a way to access kernel variables!
F. Hauri almost 5 years

For socket stats you could read cat /proc/net/sockstat* ! Could be more quicker!!
suprjami almost 5 years

procfs writes line by line. If you have many many open connections, like hundreds of thousands, the earlier stuff is outdated by the time you get to the end. It's a waste of time. ss netlink gets the current state from the kernel at one point in time.