Table of Contents
lns - show network data
lns [ -t ] [ -c ] [ -w ]
lns is a lightweight network statistics tool. It shows data
in SPACE separated columns and is primarily designed to be used in scripts.
The five columns of lns output are:
- IP remote address
-
- TCP remote port
-
- IP local address
-
- TCP local port
-
- connection state
- The connection state as number as shown in /proc/net/tcp[6].
- -c
- Suppress normal output. Show total count of connections.
- -t
- Suppress
normal output. Show up to 3 remote addresses with topmost counts.
- -w
- Count
also all connections in state 06 / TIME_WAIT.
http://downloads.tuxad.de/
We detect many connections and want to check for a SYN-attack:
- root@localhost > lns -w|sort|uniq -c|sort -n
1 8
18 5
33 6
73 1
root@localhost > grep -C7 TCP_TIME_WAIT /usr/include/netinet/tcp.h
enum
{
TCP_ESTABLISHED = 1,
TCP_SYN_SENT,
TCP_SYN_RECV,
TCP_FIN_WAIT1,
TCP_FIN_WAIT2,
TCP_TIME_WAIT,
TCP_CLOSE,
TCP_CLOSE_WAIT,
TCP_LAST_ACK,
TCP_LISTEN,
TCP_CLOSING /* now a valid state */
};
No, most TCP-connections have state TCP_ESTABLISHED.
Alternate method
for showing more than 3 top addresses:
- root@localhost > lns|awk ’{f[$1]++}END{for(g
in f)print f[g]" "g}’|sort -n|tail
5 ::ffff:94.126.XXX.YYY
6 ::ffff:194.127.XXX.YYY
6 ::ffff:77.177.XXX.YYY
6 ::ffff:87.160.XXX.YYY
7 ::ffff:195.145.XXX.YYY
7 ::ffff:213.23.XXX.YYY
8 ::ffff:212.144.XXX.YYY
9 ::ffff:164.133.XXX.YYY
16 ::ffff:193.254.XXX.YYY
18 ::ffff:194.126.XXX.YYY
Frank Bergmann, http://www.tuxad.com
Table of Contents