TCP Connection Viewer or a verbose Netstat??

devmoc · 12-11-2007, 12:44 PM

I'm looking for a Linux utility (command line or GUI) that is capable of telling you the complete domain name of any connections that are made to and from your machine. An added bonus would be a utility that knows what application is making the connections.

Netstat is a problem because it truncates domain names. I'm totally making this up, but if the name is too long it kind of looks like:

www.long.domain.na:www ESTABLISHED

I've tried a few other apps such as IPtraf and some netstat frontends but they all truncate the domain name. Is there anything available that I am describing? Thanks.

anomie · 12-11-2007, 12:49 PM

Quote:

Originally Posted by devmoc

I'm totally making this up, but if the name is too long it kind of looks like:

www.long.domain.na:www ESTABLISHED

Do you have a real example? I don't see the problem with that one in that nothing is being truncated.

You're not resolving service names to service ports, so what you see is domain:port. In this case www == tcp/udp 80.

devmoc · 12-11-2007, 04:26 PM

I'm not at my box right now, that's why I don't have a real example. Think up a long domain name like:

www.this.is.a.very.long.name.com

In netstat it would look something like:

www.this.is.a.ve:www

If you ever run netstat while looking at a numerous webpages or running bittorrent you'll see what I mean.

unSpawn · 12-11-2007, 05:59 PM

If it does what you want you get to keep it.
If it breaks you get to keep both pieces.
* note the "^H" is actually keycombo CTRL+V,CTRL+H

Code:

#!/bin/sh
\netstat -a -n -t -u | egrep '^(t|u)' | while read proto rq sq loc rem state; do 
 port=${rem//*:/}; addr=${rem//:*/}; oldaddr=${addr}; addr=${addr//0.0.0.0none}; 
 [ "$addr" != "none" ] && { addr=($(\host -c IN -t CNAME "${addr}" 2>/dev/null));
 addr=${addr[4]}; addr=${addr//NXDOMAIN/${oldaddr}}; addr=${addr//3(/}; 
 addr=${addr//)/}; echo $proto $loc ${addr}^H:${port}; }
done | column -t
exit 0

devmoc · 12-12-2007, 10:11 AM

unSpawn,

Thanks! I'll try this later today and let you know how it works.

SiegeX · 12-12-2007, 02:39 PM

Or you could just use 'lsof -i -P' It does not have the 18 character limit that netstat does.

devmoc · 12-12-2007, 09:34 PM

Quote:

Originally Posted by SiegeX

Or you could just use 'lsof -i -P' It does not have the 18 character limit that netstat does.

Frickin beautiful..it even shows the application using the connection.. Also, "lsof -iTCP -P" lists just the TCP connections.

unspawn: Your script works too!

Thanks everyone. It never ceases to amaze me how scalable Linux is!

SiegeX · 12-14-2007, 12:58 AM

Quote:

Originally Posted by devmoc

It never ceases to amaze me how scalable Linux is!

Although that is true as well, this is more of a case of flexibility =). lsof is a great tool and it's often under appreciated. lsof can help you figure out what program is locking down a certain file or the reverse, what files a program is using; hence the name (LiSt Open Files). Another thing about lsof is that most root kits don't trojan it, so if you think your computer might be compromised and netstat doesn't show anything funny, try lsof -i, it might just pop up that otherwise hidden connection.