Difference between revisions of "Network/Tools"

Nice commands

taken from:

- [1]
- [2]

netstat

useful to find out if your server is under attack or not. You can also list abusive IP address using this method.

# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

Dig out more information about a specific ip address:

# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

To print list of all unique IP address connected to server, enter:

# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:

# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

ss

Display Sockets Summary

# ss -s

Display All Open Network Ports

# ss -l

Display All TCP Sockets

# ss -t -a

Display All UDP Sockets

# ss -u -a

Display All Established SMTP Connections

# ss -o state established '( dport = :smtp or sport = :smtp )'

Display All Established HTTP Connections

# ss -o state established '( dport = :http or sport = :http )'

Find All Local Processes Connected To X Server

# ss -x src /tmp/.X11-unix/*

List all the TCP sockets in state -FIN-WAIT-1 for our httpd to network 202.54.1/24 and look at their timers:

# ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 202.54.1/24

How Do I Filter Sockets Using TCP States?

## tcp ipv4 ##
ss -4 state FILTER-NAME-HERE
## tcp ipv6 ##
ss -6 state FILTER-NAME-HERE

How Do I Matches Remote Address And Port Numbers?

ss dst ADDRESS_PATTERN
## Show all ports connected from remote 192.168.1.5##
ss dst 192.168.1.5
## show all ports connected from remote 192.168.1.5:http port##
ss dst 192.168.1.5:http
ss dst 192.168.1.5:smtp
ss dst 192.168.1.5:443