jump to navigation

Monitor tcp connections/trafic with tcptrack on RHEL/ CentOs 5.x February 12, 2011

Posted by Tournas Dimitrios in Linux admin tools.
trackback

tcptrack is a sniffer which displays information about TCP connections it sees on a network interface. It passively watches for connections on the network interface, keeps track of their state and displays a list of connections in a manner similar to the unix ‘top’ command. It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.

Download Tcptrack rpm  from http://packages.sw.be/tcptrack/ by selecting your OS and arch :

Quick how-to install via rpm :

  1. cd /tmp
  2. wget http://packages.sw.be/tcptrack/tcptrack-1.1.5-1.2.el5.rf.i386.rpm
  3. rpm  -ivh  tcptrack-xxxxx.i386.rpm
Command line options
-d Only track connections that were started after tcptrack was started. Do not try to detect existing connections.
-f Enable fast average recalculation. TCPTrack will calculate the average speeds of connections by using a running average. TCPTrack will use more memory and CPU time, but averages will seem closer to real time and will be updated more than once per second and may be more accurate under heavy load. The number of times per second that averages will be recalculated in fast mode is a compile-time setting that defaults to 10 times per second.
-i [eth0] Sniff packets from the specified network interface.
-P Do not put the interface being sniffed into promiscuous mode.
-r [seconds] Wait this many seconds before removing a closed connection from the display. Defaults to 2 seconds. See also the pause interactive command (below).
-v Display tcptrack version
-h Display command line help

Interactive options
  • p – Pause/unpause display. No new connections will be added to the display, and all currently (on a very busy server this option is very handy)
  • q- Exit tcptrack
  • s – Cycle through the sorting options

Basic usage :

  • tcptrack -i “interface name”
  • tcptrack -i eth0 “dst port 80”
  • tcptrack -i eth0 src or dst  87.xx.xx.18

For more details on the available filter language your best option is to read the tcpdump manpage – if you installtcpdump you’ll be able to consult that with “man tcpdump“.If you don’t wish to install tcpdump just to read the documentation then you can find tcpdump manpage online here. (Although this link might break in the future).

tcptrack -i eth0 src or dst 76.11.22.12

Comments»

No comments yet — be the first.

Leave a comment