Home / server / Questions / 405647
Accepted
alfish
Asked: 2012-07-08 03:01:39 +0800 CST

How to see incoming IPs in Linux?

  • 772

I am wondering what is the command/utility to have a real-time view of incoming IPs to my server, ideally along with the port and connected.

networking monitoring ip

6 Answers

  1. Best Answer

    Use pktstat -n

    interface: eth0
bps

   bps    % desc
 162.3   0% arp
 286.5   0% llc 802.1d -> 802.1d
 544.3   1% tcp 172.16.1.5:22 <-> 172.16.1.95:8074
 34.0k  87% udp 172.16.1.1:514 <-> 172.16.1.5:514
 350.1   0% udp 172.16.1.5:24330 <-> 209.18.47.62:53
 329.4   0% udp 172.16.1.5:34870 <-> 209.18.47.62:53
 388.3   0% udp 172.16.1.5:4470 <-> 209.18.47.62:53
 407.4   1% udp 172.16.1.5:47008 <-> 209.18.47.62:53
 741.6   1% udp 172.16.1.5:53 <-> 172.16.1.74:43289
 663.6   1% udp 172.16.1.5:53 <-> 172.16.1.74:44589
 647.7   1% udp 172.16.1.5:53 <-> 172.16.1.74:58223
 128.9   0% udp 172.16.1.74:5353 <-> 224.0.0.251:5353
 160.7   0% udp6 fe80::21c:bfff:fecf:a798,5353 <-> ff02::fb,5353

    The pktstat source code is hosted on Debian's site, or you can get it from SourceArchive.com

    • 39

  2. For 'purdy' display, I'm partial to a tool called 'iptraf' that will do just what you mention, as well as per interface, and per port aggregates.

    For core Linux tools, trusty netstat will do the trick...

    • 12

  3. Here is how to see all traffic coming to port 2222:

    tcpdump -ni any port 2222
    • 10

  4. A tcpdump would show you that; if you just wanted a list of IPs, you could filter on SYN packets and only output the source IP address. Something like:

    tcpdump -i eth0 -n 'tcp[tcpflags] & tcp-syn != 0 and not src and dst net localnet' | sed 's/^.*IP \([^ ]*) >.*$/\1/'

    Would get you the list of IPs, in realtime. You could also tee that to a file, and periodically do a sort -u on it to get a list of unique IP addresses that have sent connections your way.

    • 8

  5. You can use last to get an idea where your connections are coming from:

    last | tac

    The results, now in chronological order look like this:

    root     pts/0        xx.yy.zz.1       Fri Jan 31 09:13 - 13:25  (04:11)
root     pts/1        master01-server.ne Fri Jan 31 09:36   still logged in
root     pts/2        xx.yy.zz.1       Fri Jan 31 10:29 - 14:41  (04:11)
root     pts/3        master01-server.ne Fri Jan 31 10:33 - 18:31  (07:58)
root     pts/4        master01-server.ne Fri Jan 31 13:04 - 18:32  (05:28)
root     pts/0        xx.yy.zz.1       Fri Jan 31 13:41 - 16:33  (02:52)
root     pts/0        master01-server.ne Mon Feb  3 08:37   still logged in

    If you want more details, and your sysadmin no longer allows netstat, use ss:

    ss | grep xx.zx.yz.161


tcp    ESTAB      0      0      nnn.mm.oo.6:ssh                  xx.zx.yz.161:49046
tcp    ESTAB      0      0      nnn.mm.oo.6:ssh                  xx.zx.yz.161:54800
    • 4

  6. Once you get the output of one of the commands mentioned in other answers, you can use "watch" tool to have "real-time". For example, "watch -n 5 ps" will do the command "ps" each 5 seconds ("-n" argument). Replace "ps" with the command of interest, and you will get "monitoring". Or, just "tee" on file, as in another suggestion.

    • 0