This site is now 100% read-only, and retired.

Monitoring active network connections with tcptrack

Posted by Steve on Sat 20 Aug 2005 at 13:45

There are many common scenarios where keeping track of open network connections is useful. General troubleshooting or fixing specific problems are two obvious cases which spring to mind. The most useful tool I've discovered for this purpose is tcptrack.

Whilst there are many other ways in which you can view open network connections, (such as using "netstat -an"), tcptrack manages to show you the useful aspects of open connections in a very concise manner - and it update in real time. Because the software is so small it's simple to install, use, and then remove unlike alternatives such as ntop.

The combination of connection details and a real time update is wonderful for getting an idea of the open connections upon a host.

tcptrack shows you:

  • Client IP address and source port.
  • Server IP address and destination port.
  • Current state. ("Established", "Closing", etc.)
  • Average data throughput.

To install it you may simply run:

apt-get install tcptrack

Once it has been installed become root, and run:

tcptrack -i "interface name"

e.g.:

tcptrack -i eth0

The display will look something like this:

Client                 Server              State        Idle   A Speed
 192.168.1.80:3825     207.46.4.28:1863    ESTABLISHED  20s    0 B/s
 192.168.1.80:1267     xx.xx.xx.xx:22      ESTABLISHED  1m     0 B/s

Obviously if you're running this upon a gateway you will see all the current connections of your users. So you should only do this if you have the required permission to do so.

If you wish to study the connections in more detail you can pause the updates via the "p" key. This will toggle the display between paused and live states. (Pressing either "q", or Ctrl-c will exit the display and the program.)

As the software is built upon the libpcap library for packet capture you also have access to "filters". These filters are a small language for describing packets, or connections in this case, of interest.

For example if you only wished to see connections destined to arrive at port 80 (HTTP) then you could run:

tcptrack -i eth0 "dst port 80"

Here the optional filter has told the software we only care about connections which match the expression "destination port 80".

For more details on the available filter language your best option is to read the tcpdump manpage - if you install tcpdump you'll be able to consult that with "man tcpdump".

If you don't wish to install tcpdump just to read the documentation then you can find tcpdump manpage online here. (Although this link might break in the future).

tcptrack has a few more useful command line switches - to view those consult the manpage with "man tcptrack".

 

 


Re: Monitoring active network connections with tcptrack
Posted by DaveV (24.8.xx.xx) on Sat 20 Aug 2005 at 14:40
Another good tool for watching active tcp sessions is iftop.

Website: http://www.ex-parrot.com/~pdw/iftop/
Screenshot: http://www.ex-parrot.com/~pdw/iftop/iftop_normal.png

Enjoy!

[ Parent ]

Re: Monitoring active network connections with tcptrack
Posted by analogue (82.227.xx.xx) on Sat 20 Aug 2005 at 15:08
tcptrack and iftop are pretty cool, thanks for the advices ;)

[ Parent ]

Re: Monitoring active network connections with tcptrack
Posted by azathoth (220.240.xx.xx) on Sun 21 Aug 2005 at 01:15
ettercap is also extremely useful, you can even peek inside the packets being send (and also alter them, but thats a different story).

[ Parent ]

Etherape
Posted by Anonymous (68.13.xx.xx) on Sun 21 Aug 2005 at 03:55
For a very cool graphical equivalent, try etherape (apt-get install etherape).

[ Parent ]

Re: Monitoring active network connections with tcptrack
Posted by daemon (196.25.xx.xx) on Sun 21 Aug 2005 at 15:34
[ View Weblogs ]
For the last commandline example:
tcptrack -i 80 "dst port 80"

don't you mean:
tcptrack -i eth0 "dst port 80"

Otherwise, it looks like a nice little app to add to my toolbox ;-)

[ Parent ]

Re: Monitoring active network connections with tcptrack
Posted by Steve (82.41.xx.xx) on Sun 21 Aug 2005 at 15:40
[ View Weblogs ]

Indeed, well spotted.

Steve
-- Steve.org.uk

[ Parent ]

Re: Monitoring active network connections with tcptrack
Posted by dkg (216.254.xx.xx) on Fri 26 Aug 2005 at 05:42
[ View Weblogs ]
consider also iptraf, which seems to be nicely supported in debian.

[ Parent ]

Re: Monitoring active network connections with tcptrack
Posted by suspended user ashrafulkarim (85.19.xx.xx) on Thu 4 Jun 2009 at 16:45
Hi,
I want to track down, when a network change is occured using java/cpp/code/script. So, any event that is triggered and can be captured is of interest and how can I check the event programmatically.
such as, a computer has wifi, 3g modem, sattelite connection. I want to track which connection are now available, and switch to a prefered connection.
Thanks in advance for helping. please let me know how it can be done.

ashraf

[ Parent ]