collecting connection data

May 19, 2011

Let’s say I want to collect the following info on a set of servers locally to the system:

– any tcp or udp connection (in or out) and the source and dest ports – but only to or from a specific set of hosts.

– uniqued so I don’t have more than one copy of any connection

what would be the least invasive way to do that? I thought of something like tcpdump – but that seems expensive. I also thought about trying to do something like it with iptables logging – but I’m not sure how much control I can get from the output of the logs.

thoughts?

4 Responses to “collecting connection data”

  1. Alastair Neil Says:

    possibly netstat -paunt

  2. James Says:

    Hmmm … looks like they just copy&pasted that from serverfault, so linking there:

    http://serverfault.com/questions/122040/log-every-ip-connecting-on-a-system-with-iptables

  3. Patrick Says:

    Systemtap hooks on connect and accept (tcp) and send and recv (udp). I can help you find the relevant functions if need be. Nicest thing about this approach is it gives you the pid of the relevant processes.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: