Netstat extend?

chrismfz · 20 February 2024 13:31

I am writing a simple bash script that only uses netstat.
I would like to know how many connections per port I got.
And how many of them are established / fin_wait / time_wait / and so on.

Something similar with exim queues.

This is a quick n dirty way to check for high traffic or DoS / DDoS attacks on certain services like exim or apache/nginx.

That’s the script output:
[root@lusine ~]# ./netstat.sh
=== Total connections per port ===
25 4
465 0
587 0
80 0
443 34
3306 0
=== Connection states per port ===
Port 25:
4 ESTABLISHED
4 TIME_WAIT
Port 465:
Port 587:
Port 80:
Port 443:
34 ESTABLISHED
2 FIN_WAIT1
1 FIN_WAIT2
6 SYN_RECV
8 TIME_WAIT
Port 3306:
6 TIME_WAIT

And that’s a trigger for better librenms compatibility: (still working on it)

[root@lusine ~]# ./netstat.sh --snmp
<<>>
25/net0/6/5,TIME_WAIT
465/net0/1/
587/net0/1/
80/net0/5/2,TIME_WAIT
443/net0/57/29,ESTABLISHED
3,FIN_WAIT1
1,SYN_RECV
6,TIME_WAIT
3306/net0/17/1,ESTABLISHED
4,TIME_WAIT

to get a $port/$count/$state using an array.
ports=(25 465 587 80 443 3306)

The script:
#!/bin/bash

Array of ports to monitor

ports=(25 465 587 80 443 3306)

Function to get the state of connections for a specific port

get_state_for_port() {
local port=“$1”
# Run netstat command to get a list of connections for the specified port
netstat -tan | awk -v port=“$port” ‘$4 ~ (“:” port “$”) && $6 != “LISTEN” {print $6}’ | sort | uniq -c
}

Output data suitable for LibreNMS parsing

librenms_output() {
local port=“$1”
local count=“$2”
local state=“$3”
# Remove leading and trailing spaces from the state
state=$(echo “$state” | tr -s ’ ’ | sed ‘s/^ *//;s/ *$//’)
# Replace spaces with commas
state=$(echo “$state” | tr ’ ’ ‘,’)
# If state is empty, set it to ‘N/A’
[ -z “$state” ] && state=“N/A”
echo “$port/net0/$count/$state”
}

Check if the script is run with SNMP output flag

if [[ “$1” == “–snmp” ]]; then
echo “<<>>”
# Loop through the ports array
for port in “${ports[@]}”; do
# Get the total number of connections for the current port
count=$(netstat -tan | grep -c ":$port ")
# Get the state of connections for the current port
state=$(get_state_for_port “$port”)
# Output the data suitable for LibreNMS
librenms_output “$port” “$count” “$state”
done
else
echo “=== Total connections per port ===”
# Run netstat command to get a list of connections and filter by established connections
connection_summary=$(netstat -tan | grep ESTABLISHED | awk ‘{print $4}’ | awk -F’:’ ‘{print $NF}’ | sort)

# Loop through the ports array
for port in "${ports[@]}"; do
    # Count the occurrences of the port in the connection summary
    count=$(echo "$connection_summary" | grep -w "$port" | wc -l)
    # Output the port number and the count of connections, or 0 if no connections
    echo "$port $count"
done

echo "=== Connection states per port ==="
# Loop through the ports array
for port in "${ports[@]}"; do
    echo "Port $port:"
    # Get the state of connections for the current port
    get_state_for_port "$port"
done

fi

but still needs a few tweks to show output 1 port per line.
Would be possible to make an application for it ?